"GitHub security lab lead Xavier René-Corail said that more than 500 compromised packages have been removed and others blocked from upload by security scanning. René-Corail also described changes that he hopes will strengthen security. Many existing authentication methods will be removed "in the near future," including legacy classic tokens and one-time passwords for two-factor authentication (2FA). Token lifetimes will also be shortened, with a switch to trusted publishing and 2FA-enforced local publishing by default."
"Trusted publishing was first adopted by the PyPI package index and is designed for automated workflows. Using OpenID Connect, the package repository verifies that a package comes from a trusted source and issues a short-lived token, avoiding the risks of long-lived tokens that can be stolen. Currently npm trusted publishing only supports GitHub Actions and GitLab CI/CD (continuous integration and delivery) pipelines."
GitHub, owner of the npm registry, is tightening package publishing security after phishing attacks and malware infections affected hundreds of packages in September. More than 500 compromised packages have been removed and uploads are being blocked by security scanning. Many legacy authentication methods will be removed, one-time passwords for 2FA will be phased out, and token lifetimes will be shortened. Default publishing will shift toward trusted publishing and 2FA-enforced local publishing. Trusted publishing uses OpenID Connect to issue short-lived tokens for automated CI workflows. Rollout will be gradual to avoid breaking existing workflows.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]