The NPM repository has enabled mandatory two-factor authentication for accounts maintainers of the 500 most popular NPM packages. The number of dependent packages is used as a criterion of popularity. Maintainers of listed packages will only be able to perform change-related operations on the repository after enabling two-factor authentication, which requires login confirmation using one-time passwords (TOTP) generated by applications such as Authy, Google Authenticator and FreeOTP, or hardware keys and biometric scanners, supporting the WebAuth protocol.
This is the third step in strengthening NPM's security against account compromise. The first step was to migrate all NPM accounts that do not have two-factor authentication enabled to use advanced account verification, which requires a one-time code that is sent to email when trying to log in to npmjs.com or perform an authenticated operation in the npm utility. In the second phase, mandatory two-factor authentication was enabled for the top 100 most popular packages.
Recall that, according to a study conducted in 2020, only 9.27% of package maintainers used two-factor authentication to protect access, and in 13.37% of cases, when registering new accounts, developers tried to reuse compromised passwords that appeared in known password leaks. The strength of the passwords used was able to access 12% of NPM accounts (13% of packages) due to the use of predictable and trivial passwords such as "123456". Among the problematic were 4 user accounts from the Top 20 most popular packages, 13 accounts whose packages were downloaded more than 50 million times a month, 40 - more than 10 million downloads per month and 282 with more than 1 million downloads per month. Given the loading of modules along the dependency chain, the compromise of untrusted accounts could hit up to 52% of all modules in NPM in total.
Source: opennet.ru