GitHub pushes two-factor authentication for NPM registry users

The level of security has increased for NPM registries for JavaScript packages at GitHub. The Microsoft subsidiary has just announced the implementation of a two-factor authentication policy for the maintainers and administrators of this registry. This security policy will be implemented from a cohort of first-level packages in the first quarter of 2022, specifies Github in a bulletin published on November 15. The platform became the ledger after acquiring NPM in 2020.

This decision follows two security incidents. The first was last October where GitHub discovered an issue caused by maintaining a routine of a publicly available NPM service. While maintaining the database that powers a public replica of NPM, records were created that could expose private package names. This briefly allowed replica clients to potentially identify private package names through records posted to the public change stream.

A flaw fixed in 6 hours

No other information, including the contents of private packets, was accessible at all times. Those, private, in @owner/package format and created before October 20 were exposed between October 21 and October 29, when investigation began on a fix and determination of the scope of exposure. All records containing private package names were removed from the replicate.npmjs.com service on this date. Changes have been made to prevent the issue from reoccurring.

The other incident took place on November 2. GitHub received a report of a vulnerability that offered an attacker the ability to release new versions of any NPM package using an account without proper authorization. The flaw was fixed within six hours of receiving the report.