GitHub's commitment to npm ecosystem security

GitHub, as the steward of the npm registry, is prioritizing security by implementing measures such as requiring two-factor authentication (2FA) for maintainers and admins of popular npm packages, starting with top packages in early 2022, to combat account takeovers and malware incidents. Recent security incidents include unauthorized access due to account takeovers and vulnerabilities allowing unauthorized package publishing, which have been addressed through improved authorization consistency and infrastructure upgrades. In October 2021, a maintenance error exposed private package names, which was promptly rectified, and a vulnerability reported in November 2021 was patched within six hours. GitHub's ongoing investments in npm security include collaborations with the security community and the introduction of WebAuthn support, demonstrating a commitment to strengthening the npm ecosystem's security and aligning with industry best practices for protecting the software supply chain.