GitHub Tightens NPM Security After Major Supply Chain Attacks

GitHub enhances NPM security with mandatory 2FA and expiring tokens to combat recent supply chain attacks like the Shai-Hulud worm.

By Content Team

Sep 24, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

GitHub is implementing stricter security measures for the NPM registry following a series of devastating supply chain attacks over the past three months. The most severe incident involved the Shai-Hulud self-replicating worm, which compromised 195 packages and pushed over 500 malicious versions to the registry last week.

Earlier attacks targeted maintainer Josh Junon's 18 packages (with 2.5 billion weekly downloads) through phishing, and July saw typosquatting attacks on packages with 30 million combined weekly downloads.

GitHub's response includes mandatory two-factor authentication for local publishing, granular tokens expiring after seven days, and trusted publishing that eliminates long-lived tokens. The platform will also deprecate legacy authentication methods and gradually roll out changes to minimize workflow disruption.

Source: Security Week

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

US Investigates Claims Meta Can Read Encrypted WhatsApp Messages

Feb 1, 2026

Instagram Fixes Password Reset Bug as Old Data Leak Resurfaces

Jan 12, 2026

Qualcomm Zero-Day Exploited in Targeted Android Attacks

Mar 4, 2026

TeamPCP Hackers Compromise Official Telnyx Python Package in Supply Chain Attack

Mar 28, 2026