The Attack That Changed Everything
The npm registry recently weathered one of its most sophisticated attacks. On September 14, 2025, the Shai-Hulud worm infiltrated the JavaScript ecosystem by compromising maintainer accounts. Unlike typical malware, this worm was self-replicating, using post-install scripts to turn trusted packages into attack vectors. GitHub moved quickly to remove over 500 packages, but the damage highlighted a harsh reality: current authentication methods are insufficient.
A New Security Roadmap
GitHub has announced immediate and drastic changes to secure the supply chain:
- Local publishing with mandatory 2FA: No more bypassing two-factor authentication for convenience.
- Granular tokens: Long-lived tokens are ending in favor of credentials with seven-day expiration limits.
- Deprecation of legacy tech: Classic tokens and Time-based One-Time Passwords (TOTP) are being phased out in favor of FIDO-based authentication (WebAuthn).
The Era of Trusted Publishing
The cornerstone of this new strategy is Trusted Publishing. This method removes API tokens from CI/CD pipelines entirely. Instead, the package registry verifies identity directly through the build environment (like GitHub Actions).
With no stored tokens, there are no secrets to steal. OpenSSF and GitHub now urge all maintainers to switch to trusted publishing immediately and audit existing tokens, as the ecosystem’s security is only as strong as its weakest link.
Source: How GitHub Plans to Secure npm - DevOps.com