Developers of top 100 npm packages are required to use 2FA

npm packages and 2FA
Written by Emma Davis

Due to increasing attacks on the supply chain and hacks, the administrators of Node Package Manager (npm) decided to force the owners of the hundred most popular (by the number of dependencies) packges to use two-factor authentication.

The new security requirement went into effect on February 1, 2022.

For those maintainers who do not currently have 2FA enabled, their web sessions will be invalidated and they will need to activate 2FA before they can take any action on their accounts, including changing their email address or adding new maintainers to projects.the GitHub security team wrote in a blog post.

The npm developers were forced to take such measures due to increasing security problems. The fact is that malicious libraries often appear due to the fact that the accounts of their developers are hacked: they use too simple passwords, or the same passwords on different sites that leak into the network after third-party companies, sites and services are hacked.

It is worth noting that, according to the WhiteSource Diffend platform, over the past six months alone, more than 1,300 malicious packages have been detected in npm that steal credentials, cryptocurrencies, and so on.

GitHub emphasizes that over time, two-factor authentication will become mandatory for all users. The process that started this week with the owners of the top 100 most popular npm packages will soon continue to spread to the owners of the top 500 libraries. WebAuthn support for accounts will also come in the future.

The next major technology investment in npm is the implementation of WebAuthn support, allowing maintainers to use and benefit from the strong authentication provided by hardware keys and biometric devices. This is in addition to the one-time password (OTP) authentication that npm currently supports through the various applications available. We have a working prototype for registering and using security keys for 2FA for the npm website as well as for the CLI. We have just completed design work for updating our 2FA enrollment and management process, and engineering work to bring it into production began this week.reported on GitHub.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply