GitHub Introduces npm Security with Stronger Authentication and Trusted Publishing

Open source software powers much of today’s technology, enabling developers around the world to build and share tools, libraries, and applications.

However, the same openness that drives innovation also presents serious security challenges. Attackers regularly target package registries like npm to compromise accounts and inject malicious code.

In response, GitHub has announced significant updates to npm security, focusing on stronger authentication methods, short-lived tokens, and trusted publishing.

These changes aim to protect the open source community and safeguard the software supply chain.

In mid-September 2025, a self-replicating worm known as the Shai-Hulud attack infiltrated multiple popular JavaScript packages.

By hijacking maintainer accounts, the worm injected harmful post-install scripts into widely used libraries.

These scripts could steal secrets beyond npm tokens and propagate further attacks if left unchecked.

GitHub and open source maintainers responded swiftly by removing over 500 compromised packages from the registry and blocking uploads containing known indicators of compromise.

Despite these efforts, the incident revealed that legacy authentication and publishing practices are no longer sufficient to defend against sophisticated supply chain threats.

New Authentication Measures and Short-Lived Tokens

To prevent future breaches, GitHub will require two-factor authentication (2FA) for all local package publishing.

Maintainers must use FIDO-based WebAuthn instead of traditional time-based one-time passwords (TOTP). This shift will eliminate weaker 2FA methods and make account takeovers far more difficult.

In addition, npm will adopt granular access tokens with a maximum lifetime of seven days. These short-lived tokens limit the window of opportunity for attackers to misuse stolen credentials.

Legacy classic tokens will be deprecated, and any bypass options for 2FA during local publishing will be removed.

By default, new tokens will not have publishing permissions, encouraging the use of trusted publishing flows or enforced 2FA.

Trusted publishing offers a secure alternative to managing tokens within build systems.

Originally pioneered by PyPI in April 2023, this model uses identity providers and OpenID Connect (OIDC) to verify trusted workflows.

Since its initial release, trusted publishing has been added to RubyGems, crates.io, npm, and NuGet. GitHub plans to expand support for additional providers and broaden compatibility across ecosystems.

By adopting trusted publishing, maintainers can remove API tokens from pipelines and rely on identity-based proofs to authorize package releases. This approach greatly reduces the risk of token leakagee and unauthorized publishing.

GitHub acknowledges that these security enhancements may require updates to existing workflows.

To ease the transition, the company will roll out changes gradually and provide clear timelines, comprehensive documentation, migration guides, and dedicated support channels.

In the meantime, npm maintainers can take proactive steps by enabling trusted publishing, strengthening account and organization settings to require 2FA for all write operations, and configuring 2FA with WebAuthn.

Securing the software supply chain is a shared responsibility. By embracing robust authentication methods, short-lived tokens, and trusted publishing, developers can help build a safer open source ecosystem.

GitHub’s latest npm security investments mark a critical step toward protecting millions of projects and the global community that depends on them.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.