The 2FA policy, intended to protect against account takeovers, will be put in place starting with a cohort of top packages in the first quarter of 2022, GitHub said in a bulletin published on November 15. GitHub became stewards of the registry after acquiring NPM in 2020.
GitHub periodically sees incidents on the registry where NPM accounts are compromised by malicious actors and then used to insert malicious code into popular packages where the accounts have access.
GitHub cited two incidents prompting tighter security.
Firstly on October 26, GitHub found an issue caused by routine maintenance of a publicly available NPM service. During maintenance on the database that powers a public NPM replica, records were created that could expose the names of private packages.
This briefly allowed consumers of the replica to potentially identify the names of private packages due to records published in the public changes feed. No other information, including content of the private packages, was accessible at any time.
Package names in the format of
@owner/package for private packages created before October 20 were exposed for a time between October 21 and October 29, when work began on a fix and on determining the scope of the exposure. All records containing private package names were removed from the
replicate.npmjs.com service on this date. Changes have been made to prevent the issue from happening again.
Secondly on November 2, GitHub received a report of a vulnerability that would allow an attacker to publish new versions of any NPM package using an account without proper authorisation. The vulnerability was patched within six hours after receipt of the report.