NEWS GitHub Declares War on Hackers and Changes the Game

[ExcalibuR]

GitHub Declares War on Hackers and Changes the Game

New publishing mechanism will permanently remove humans from the trust chain.​

GitHub has announced sweeping changes to the authentication and package publishing system on npm, aimed at bolstering defenses against software supply chain attacks. The updates were prompted by the recent "Shai-Hulud" campaign—a malicious, self-propagating worm that was embedded in hundreds of npm libraries. It not only duplicated itself into other packages but also scanned developers' devices for sensitive data, including keys and tokens, and transmitted them to attackers.

In response to the incident, GitHub stated that it will soon phase out legacy authorization mechanisms and implement stricter control measures. Key innovations include:

• The mandatory use of two-factor authentication for local publishing.
• A transition to short-lived tokens with a maximum lifespan of 7 days.
  Furthermore, the use of the Trusted Publishing system, based on the OpenID Connect protocol, which allows packages to be published directly from CI/CD without tokens, will be actively promoted.

Trusted Publishing creates a cryptographically verifiable link between a published package and its build environment. The npm CLI automatically generates and attaches a proof of authenticity to the release, allowing any user to verify where and under what conditions the package was built. This solution is intended to enhance transparency and trust in software component suppliers.

The transition to the new system will include the following changes:

• Retirement of classic tokens previously used for publishing.
• Phasing out TOTP as a 2FA method, transitioning to physical FIDO-compatible security keys.
• Limiting the lifespan of granular tokens, especially those granting publish rights.
• Blocking publishing using tokens by default—preference will be given to either trusted publishing or manual uploads with 2FA.
• Removal of exceptions that allowed bypassing two-factor protection for local publishing.
• Expanding the list of CI/CD providers compatible with Trusted Publishing.

According to GitHub's statement, these measures should significantly reduce attackers' ability to compromise the npm infrastructure through fake or stolen tokens, especially considering the scale of the Shai-Hulud attack's impact.

In that campaign, the malware used was capable of not only self-replication but also stealing multiple types of secrets, extending far beyond the compromise of a single ecosystem. The company emphasizes that without the swift intervention of the community and their own response, the consequences could have been far more severe.

The new publishing model aims to reduce reliance on tokens as a single point of failure and increase the level of verification for every action related to package distribution. These measures are not only a response to a specific attack but also a strategic overhaul of the entire security system, based on the principles of least privilege and cryptographic verification.