GitHub to update npm authentication, publishing policies

Recent npm supply chain intrusions have prompted GitHub to disclose imminent plans to update publishing and authentication policies aimed at curbing token misuse and self-replicating malware, reports The Hacker News. Aside from implementing mandatory two-factor authentication for local publishing and short-lived granular tokens with a seven-day lifespan, GitHub is also mulling a "trusted publishing" workflow that allows secure package publishing directly from CI/CD pipelines via OpenID Connect. To implement these measures, GitHub plans to retire classic tokens and phase out time-based one-time password 2FA in favor of FIDO-based authentication. The company will also limit the lifespan of granular tokens with publishing permissions, disable token-based publishing by default to encourage either trusted publishing or 2FA-enforced local publishing, and remove the option to bypass 2FA for local package publishing. In addition, GitHub intends to expand the range of providers eligible for trusted publishing. "By combining self-replication with the capability to steal multiple types of secrets (and not just npm tokens), this worm could have enabled an endless stream of attacks had it not been for timely action from GitHub and open source maintainers," said GitHub's Xavier Ren-Corail.