GitHub to remove weak security options for npm registry • The Register

GitHub, which owns the npm registry for JavaScript packages, says it is tightening security in response to recent attacks.

September has been a bad month for npm with phishing attacks on package maintainers and hundreds of packages infected by secret-stealing malware .

GitHub security lab lead Xavier René-Corail said that more than 500 compromised packages have been removed and others blocked from upload by security scanning.

René-Corail also described changes that he hopes will strengthen security. Many existing authentication methods will be removed "in the near future," including legacy classic tokens and one-time passwords for two-factor authentication (2FA). Token lifetimes will also be shortened, with a switch to trusted publishing and 2FA-enforced local publishing by default.

Th