Due to the increasing cases of hijacking the repositories of large projects and promoting malicious code through compromising developer accounts, GitHub introduces extended account verification everywhere. Separately, for maintainers and administrators of the 500 most popular NPM packages, mandatory two-factor authentication will be introduced early next year.
From December 7, 2021 to January 4, 2022, all maintainers who have the right to publish NPM packages, but do not use two-factor authentication, will be switched to use advanced account verification. Extended verification requires you to enter a one-time code that is sent to your email when you try to log in to npmjs.com or perform an authenticated operation in the npm utility.
Extended verification does not replace, but only complements the previously available optional two-factor authentication, which requires confirmation using one-time passwords (TOTP). When two-factor authentication is enabled, advanced email verification is not applied. Starting February 1, 2022, the process of switching to mandatory two-factor authentication for the maintainers of the 100 most popular NPM packages with the largest number of dependencies will begin. After the migration of the first hundred is completed, the change will be distributed to the 500 most popular NPM packages by the number of dependencies.
In addition to the currently available two-factor authentication scheme based on applications for generating one-time passwords (Authy, Google Authenticator, FreeOTP, etc.), in April 2022 it is planned to add the ability to use hardware keys and biometric scanners that support the WebAuthn protocol, and also the ability to register and manage various additional authentication factors.
Recall that, according to a study conducted in 2020, only 9.27% of package maintainers use two-factor authentication to protect access, and in 13.37% of cases, when registering new accounts, developers tried to reuse compromised passwords that appear in known password leaks. The strength of the passwords used was able to access 12% of NPM accounts (13% of packages) due to the use of predictable and trivial passwords such as "123456". Among the problematic were 4 user accounts from the Top 20 most popular packages, 13 accounts whose packages were downloaded more than 50 million times a month, 40 - more than 10 million downloads per month and 282 with more than 1 million downloads per month. Given the loading of modules along the dependency chain, the compromise of untrusted accounts could hit up to 52% of all modules in NPM in total.
Source: opennet.ru