Following a sophisticated attack on the npm ecosystem, GitHub now requires two-factor authentication for local publications. Classic tokens are also being phased out, and the use of ‘trusted publishing’ is being encouraged.
GitHub is implementing stricter measures for publishing packages on the npm platform. This follows the recent Shai-Hulud attack, where attackers distributed malicious software through well-known npm packages using compromised accounts.
This is dangerous because npm packages are designed for easy installation from a registry with a single command. Anyone injecting malware can quickly spread it on a large scale.
The attack on September 14, 2025, used a self-replicating worm that stole sensitive information, including npm tokens. GitHub removed more than 500 packages from the registry and blocked the spread of known malicious patterns.
Stronger Control
According to GitHub, the incident demonstrates that stricter authentication and publication controls are crucial for protecting the software supply chain. To prevent recurrence, GitHub is mandating the use of two-factor authentication (2FA) for local package publication.
In addition to mandatory 2FA, support for classic tokens is being phased out. These will be replaced by granular tokens with limited permissions and a maximum validity period of seven days. TOTP-based 2FA is also being phased out in favor of FIDO-based authentication via WebAuthn.
Furthermore, GitHub is disabling the ability to bypass 2FA for local publications. Publication access via tokens will be disabled by default, aiming to encourage administrators to switch to trusted publishing or make 2FA mandatory for write actions. GitHub promises a gradual rollout with support and migration documentation to minimize impact on existing workflows.
Trusted publishing – which eliminates the need for tokens in build systems – is now available for multiple package managers, including PyPI, RubyGems, and crates.io. GitHub wants to accelerate its adoption within npm.
With these measures, GitHub aims to restore trust in the npm ecosystem and prevent future attacks. Developers are advised to strengthen their security settings as soon as possible and transition to 2FA and trusted publishing.