• Business

    GitHub is finally tightening up security around npm following multiple attacks

    AnyFans Posted on

    By Sead Fadilpašić

    Copyright techradar

    GitHub is finally tightening up security around npm following multiple attacks

    Skip to main content

    Tech Radar Pro

    Tech Radar Gaming

    Close main menu

    the business technology experts

    België (Nederlands)

    Deutschland

    North America

    US (English)

    Australasia

    New Zealand

    View Profile

    Search TechRadar

    Expert Insights

    Website builders

    Web hosting

    Best web hosting
    Best office chairs
    Best website builder
    Best antivirus
    Expert Insights

    Don’t miss these

    NPM packages from Nx targeted in latest worrying software supply chain attack

    GitHub supply chain attack sees thousands of tokens and secrets stolen in GhostAction campaign

    GitHub users targeted with dangerous malware attacks – here’s what we know

    More popular npm packages hijacked to spread malware

    Compromised files replace npm packages with a combined 2 billion weekly downloads

    Google Workspace is hitting back against the most prolific methods of account takeover with these super simple changes

    Npm package with millions of downloads is at risk from malware hijacking

    PyPl is blocking hundreds of expired domains to halt malware attacks

    How DevOps tools are opening the gates for high-profile cyberattacks

    CISA is warning of a worrying Git security flaw, so stay alert

    Are they brave or stupid? Malware targeting Russian crypto hackers found

    Hackers can bypass FIDO MFA keys, putting your accounts at risk – here’s what we know

    Chinese malware is flooding GitHub pages – HiddenGh0st, Winos and kkRAT hit devs via SEO poisoning

    Researchers reveal passkeys may not be as safe as we think they are – here’s how to stay safe

    Hacker adds potentially catastrophic prompt to Amazon’s AI coding service to prove a point

    GitHub is finally tightening up security around npm following multiple attacks

    Sead Fadilpašić

    24 September 2025

    GitHub aims to harden package publication

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

    (Image credit: Gil C / Shutterstock)

    GitHub will enforce 2FA and deprecate legacy tokens to improve package publishing security
    Trusted Publishing will expand, and token-based publishing will be restricted by default
    Shai-Hulud worm breached npm, prompting removal of over 500 compromised packages

    Following a number of recent high-profile attacks and hacking attempts, GitHub has decided to make substantial changes to the security of its platform.

    In a blog post, GitHub detailed changes to authentication and publishing, set to go live “in the near future”, with the aim of hardening package publication.
    The announcement notes authentication and publishing options will be changed to include local publishing with required 2FA, granular tokens with a seven-day expiration date, and Trusted Publishing.

    You may like

    NPM packages from Nx targeted in latest worrying software supply chain attack

    GitHub supply chain attack sees thousands of tokens and secrets stolen in GhostAction campaign

    GitHub users targeted with dangerous malware attacks – here’s what we know

    Extra authentication and protection
    Furthermore, GitHub announced it would deprecate legacy classic tokens, as well as time-based one-time password (TOTP) 2FA, forcing users to migrate to FIDO-based 2FA. It will also limit granular tokens with publishing permissions to a shorter expiration, and set publishing access to disallow tokens by default (this should make users go for trusted publishers or 2FA enforced local publishing).

    The option to bypass 2FA for local package publishing will be removed, while the list of eligible providers for trusted publishing will be expanded.
    “We recognize that some of the security changes we are making may require updates to your workflows,” GitHub explained.
    “We are going to roll these changes out gradually to ensure we minimize disruption while strengthening the security posture of npm. We’re committed to supporting you through this transition and will provide future updates with clear timelines, documentation, migration guides, and support channels.”

    Are you a pro? Subscribe to our newsletter
    Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
    Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
    Open source software is crucial in the software development industry, with organizations of all sizes – from enterprises to microbusinesses – tapping into the sea of high-quality code. This also makes it ideal for cybercriminals engaging in third-party and supply-chain attacks.
    One example is the recent Shai-Hulud attack, where a self-replicating worm malware infiltrated the npm ecosystem via a compromised maintainer account, and went about stealing all kinds of secrets from software developers.
    The attack forced GitHub to remove more than 500 compromised packages, as well as block the upload of new packages containing whatever indicators of compromise were available at the time.
    You might also like

    A terrifying, self-replicating malware has infected npm packages with over 2 million downloads per week – here’s how to stay safe
    Take a look at our guide to the best authenticator app
    We’ve rounded up the best password managers

    Sead Fadilpašić

    Social Links Navigation

    Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

    You must confirm your public display name before commenting

    Please logout and then login again, you will then be prompted to enter your display name.

    NPM packages from Nx targeted in latest worrying software supply chain attack

    GitHub supply chain attack sees thousands of tokens and secrets stolen in GhostAction campaign

    GitHub users targeted with dangerous malware attacks – here’s what we know

    More popular npm packages hijacked to spread malware

    Compromised files replace npm packages with a combined 2 billion weekly downloads

    Google Workspace is hitting back against the most prolific methods of account takeover with these super simple changes

    Latest in Security

    Watch out – even small businesses are now facing threats from deepfake attacks

    “It could be catastrophic to the city” – US Secret Service takes down massive million-dollar network of SIM cards it says was capable of taking down comms across New York

    Insurance firm AIL allegedly hit in cyberattack – hackers claim info on over 150,000 users stolen, here’s what we know

    Huge theft reportedly sees 2TB of private data stolen – police files hit in major breach

    Small business security warning – new malware is spoofing tools such as ChatGPT, Microsoft Office and Google Drive, so be on your guard

    Top electric car charger firm confirms data breach, tells users to be on their guard

    Latest in News

    Proton VPN’s no-logs policy holds up under scrutiny of fourth independent audit

    Fears of the death of Intel Arc GPUs may be exaggerated – despite Nvidia deal, a powerful new graphics card is rumored

    What is the release date for Peacemaker season 2 episode 6 on HBO Max and other streaming services?

    GitHub is finally tightening up security around npm following multiple attacks

    Two annoying Windows 11 bugs have finally been fixed – and it only took Microsoft a year

    WhatsApp users have been begging for message translations for two long years – and now it’s finally here

    LATEST ARTICLES

    Quordle hints and answers for Thursday, September 25 (game #1340)

    NYT Connections hints and answers for Thursday, September 25 (game #837)

    NYT Strands hints and answers for Thursday, September 25 (game #571)

    Panasonic unveils its first L-mount zoom lens that reaches 500mm, with industry-leading stabilization performance

    Proton VPN’s no-logs policy holds up under scrutiny of fourth independent audit

    TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

    Contact Future’s experts

    Terms and conditions

    Privacy policy

    Cookies policy

    Advertise with us

    Web notifications

    Accessibility Statement

    Future US, Inc. Full 7th Floor, 130 West 42nd Street,

    Please login or signup to comment

    Please wait…

    You Might Also Like