Home / Blog

GitHub will necessitate 2FA for some NPM registry accounts

Billy Yann
Data Scientist
Deep learning and machine learning specialist, well-versed with experience in Cloud infrastructure, Block-chain technologies, and Big Data solutions.
December 22, 2021

With the recent breaches of security incidents that distress the prominent NPM registry for JavaScript packages, GitHub necessitates 2FA (two-factor authentication) for the maintainers, comptrollers, and administrators of NPM’s collective packages. The npm registry is integral to all JavaScript advances, and, as superintendents of the registry, guaranteeing its protection is a liability GitHub takes sincerely. The two-factor authentication policy intended for shielding accounts from hijacking will start in the first quarter of 2022 with a cohort of pinnacle packages. GitHub said in the bulletin, it was published on November 15th. GitHub became gamekeepers of the registry after acquiring NPM in 2020.


Automatized malware detection and necessitating 2FA to combat maintainer account takeover

GitHub sometimes sees incidents on the registry where NPM accounts are jeopardized by malicious actors and then used to inject malicious code into prominent packages where the accounts have access. GitHub mentioned two incidents suggesting stringent security. Examples consist of the recent takeovers of the ua-parser-js,coa, and rc packages. Sometimes, these account takeover events have occupied NPM accounts where 2FA was not authorized.

For the last couple of months, the NPM group has been spending on infrastructure and safety advancements to mechanize monitoring and scrutiny of newly published versions of packages to recognize malware and other malicious code in real-time.

There are two major categorizations of malware publish events that take place in the NPM ecosystem: a cyber attack that is published due to account takeovers and malware that is publicized by assailants through their accounts. Even though high-leverage account takeovers are comparatively occasional, when contrasted with direct malware published from aggressors using their accounts, account takeovers can be extensive reaching when geared towards maintainers of prominent packages. Whilst detection and reaction time to prominent package takeovers has been as short as 10 minutes in the latest incidents, GitHub continues to evolve its malware detection abilities and notification strategies toward a more aggressive response model.

GitHub said these detection abilities do not figure out for the abovementioned account safety difficulties, which are central to developing the entire protection and safety of the NPM ecosystem. For this reason, GitHub will start to necessitate two-factor authentication (2FA) during authentication for maintainers and administers of top packages on NPM, beginning with a cohort of popular packages in the first quarter of 2022. GitHub is presently examining the next measures to make certain that the powerful and most convenient authentication options, such as WebAuthn, are obtainable and reachable to developers using NPM. Expect to see upgrades from GitHub and the measures taken to support developers adopt account safety controls and adjustments to any impacted workflows.

Powerful authentication and the use of two-factor authentications have been acknowledged as better practices for many years, and the IT security space is undergoing a substantial boost toward zero trust architecture, which trusts greatly on powerful identity and user authentication. GitHub estimates that software development ecosystems must be in step with this boost toward well-built authentication as part of defending the software supply chain. The repercussions of not doing so, in an ecosystem as serious as NPM, are extensive. GitHub ought to push the bar for account safety hygiene greater, and GitHub is determined to make powerful account protection easier to accomplish and adopt the most recent standards for the NPM ecosystem.

Accessing GitHub using two-factor authentication

Two-factor authentication (2FA) is an additional layer of safety used when logging into websites or apps. With two-factor authentications, you have to log in with your username and password and give an alternative form of authentication that only you know or have admittance to.

For GitHub, the second kind of authentication is a code that's created by an application on your mobile device or sent as an SMS. After you facilitate two-factor authentications, GitHub creates an authentication code any time someone tries to log on to your account on The only method someone can log onto your account is if they know both your password and have access to the authentication code on your phone.

Safety challenges related to the NPM registry

As gamekeepers of the registry, the safety and trustworthiness of NPM are vital to GitHub. The two latest safety challenges affecting the NPM registry itself and the steps GitHub has taken toward remediation:

First, on October 26 GitHub acknowledged a problem impacted by routine maintenance of one of the openly accessible NPM services. During maintenance on the database that authorities the public NPM replicas at, records were generated that could render the names of private packages. This succinctly enabled customers of to possibly recognize the names of private packages due to minutes released in the public changes feed. No additional information, involving the content of these private packages, was reachable at any time.

Package names in the arrangement of @owner/package for private packages generated before October 20 were uncovered between October 21 13:12:10Z UTC and October 29 15:51:00Z UTC. Upon detection of the problem, GitHub instantaneously started work on executing a fix and deciding the scope of the exposure. On October 29, all documents comprising private package names were eliminated from the replication database. Whilst these documents were eliminated from the service on this date, the information on this service is used by third parties who may have replicated the data elsewhere. To figure out this problem from happening again, GitHub has made alterations to how GitHub provision this public replication database to make sure records consisting of private package names are not created during this procedure.

Second, on November 2 GitHub obtained a report to their security bug bounty program of an exposure that would enable an attacker to release new versions of any NPM package using an account without appropriate authorization. GitHub swiftly confirmed the information, started its incident response processes and spotted the vulnerability within six hours of obtaining the information.

GitHub determined that this exposure was due to incompatible authorization checks and validation of data across numerous microservices that manage requests to the NPM registry. In this manner, the authorization service was appropriately confirming user authorization to packages following data passed in request URL paths. Nevertheless, the service that accomplishes underlying upgrades to the registry information determined which package to release based on the contents of the uploaded package file. This inconsistency rendered an avenue by which demands to release new versions of a package would be approved for one package but would be executed for a diverse, and possibly unauthorized, package. GitHub mitigated this challenge by guaranteeing steadiness across both the publishing service and authorization service to make sure that the same package is being used for both authorization and publishing.

This exposure occurred in the NPM registry beyond the timeframe for which GitHub has telemetry to decide whether it has ever been subjugated malevolently. Conversely, GitHub says with high assurance that this exposure has not been subjugated malevolently during the timeframe for which GitHub has accessible telemetry, which goes back to September 2020.

Configuring two-factor authentication on your NPM account

• Before you allow 2FA on your NPM user account, you must:

• Upgrade your NPM client to version 5.5.1 or higher.

Install an authenticator application that can crate one-time passwords on a mobile device that will always be accessible when you work in your NPM account. You can use applications such as Authenticator, Google Authenticator, or Microsoft Authenticator.

Configuring 2FA on the web

1. Sign in to NPM with your user account.

2. In the upper right corner of the page you have opened, click your profile picture, then select account

3. Then on the profile settings page, under "Two-Factor Authentication", click Enable 2FA.On the 2FA settings page, select the model you would like to enable. For more information, see “Two-factor authentication modes on NPM”

4. Then click on the submit option

5. Open your authenticator application on your mobile phone, and, on the 2FA page, and then scan the QR code with your phone.

6. The recovery code page that opens, on the page copy the recovery codes to your computer or other secure location that is not your second-factor device. Using a password manager to save your recovery codes is better. If you are incapable to access your phone, you will need to enter a recovery code when induced for a one-time password.

7. Click Go back to settings.


Whether it safeguarding users on the registry from account takeovers with two-factor authentication, comprise of NPM in the GitHub security bug bounty program, or GitHub partnership with the safety community through the Open Source Security Foundation, GitHub decided to continue to invest in the safety of NPM and the wider software security supply chain. GitHub is also working on advancing its automated monitoring and analysis abilities to identify malware and other malicious code as soon as it is released on all existing accounts.