GitHub developers reported that they are working on a set of protective measures aimed at countering supply chain attacks, which recently led to several major incidents on the platform.
Over the past few months, there have been several large-scale attacks that began with the compromise of GitHub repositories and spread to npm. In early August, s1ngularity triggered the exposure of data from 2,180 accounts and affected 7,200 repositories, and in early September the malicious GhostAction campaign led to a mass compromise of secrets, including PyPI, npm, DockerHub, GitHub tokens, and Cloudflare and AWS API keys. And just last week, a self-propagating Shai-Hulud worm was discovered on npm.
Although GitHub engineers responded promptly to these incidents and helped minimize the damage, they acknowledge that proactive measures would have been more effective.
GitHub representatives report that they are already working on implementing the following measures intended to reduce the risks:
- mandatory two-factor authentication (2FA) for local publishing;
- enforced use of granular tokens with a 7-day expiration;
- expanding and encouraging the use of trusted publishing;
- phasing out classic tokens and TOTP 2FA (moving to FIDO-based 2FA);
- shortening the lifetime of publish tokens;
- default publish access will eliminate the need for tokens;
- removing the ability to bypass 2FA for local publishing.
These changes are expected to be rolled out gradually, with all necessary documentation and migration guides provided to minimize disruptions to existing workflows.
The developers strongly recommend using Trusted Publishing, already adopted in several ecosystems, as it eliminates the need to manage API tokens in build systems.
npm maintainers are advised to immediately switch to trusted publishing, enforce the use of 2FA for publishing and write operations, and use WebAuthn instead of TOTP for two-factor authentication.
The announcement stresses that ecosystem security is a collective responsibility, and developers should proactively take steps to reduce supply chain risks by using the available security options.
It’s worth noting that the RubyGems developers also announced enhanced security measures the other day. This ecosystem has also recently suffered from similar issues: in June, the platform saw malware impersonating Fastlane and stealing Telegram API data, and in August, 60 malicious packages were found that had been downloaded more than 275,000 times.
It is reported that until a new governance model is fully developed and the basic principles are established, admin privileges will remain solely with the Ruby Central team. The developers promise a transition to a more transparent model, in which the community will play a larger role in governance. However, for now many members of the Ruby community have viewed these actions as a blatant power grab.