GitHub announced that NPM repositories are enabling two-factor authentication for the 100 NPM packages that are included as dependencies in the largest number of packages. Maintainers of these packages will now be able to perform authenticated repository operations only after enabling two-factor authentication, which requires login confirmation using one-time passwords (TOTP) generated by applications such as Authy, Google Authenticator and FreeOTP. In the near future, in addition to TOTP, they plan to add the ability to use hardware keys and biometric scanners that support the WebAuth protocol.
On March 1, it is planned to transfer all NPM accounts that do not have two-factor authentication enabled to use extended account verification, which requires entering a one-time code sent by email when attempting to log into npmjs.com or perform an authenticated operation in the npm utility. When two-factor authentication is enabled, extended email verification is not applied. On February 16 and 13, a trial temporary launch of extended verification for all accounts will be carried out for a day.
Recall that, according to a study conducted in 2020, only 9.27% of package maintainers used two-factor authentication to protect access, and in 13.37% of cases, when registering new accounts, developers tried to reuse compromised passwords that appeared in known password leaks. The strength of the passwords used was able to access 12% of NPM accounts (13% of packages) due to the use of predictable and trivial passwords such as "123456". Among the problematic were 4 user accounts from the Top 20 most popular packages, 13 accounts whose packages were downloaded more than 50 million times a month, 40 - more than 10 million downloads per month and 282 with more than 1 million downloads per month. Given the loading of modules along the dependency chain, the compromise of untrusted accounts could hit up to 52% of all modules in NPM in total.
Source: opennet.ru