Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GitHub rolls out npm supply-chain publishing defenses and trusted publishing

Security Tool/Service
First reported
Last updated
Happening score
H score 10
3 unique sources, 3 articles

Summary

Hide ▲

GitHub has rolled out staged publishing for npm, requiring a human 2FA challenge and explicit maintainer approval before a package becomes publicly installable. The update also adds --allow-file, --allow-remote, and --allow-directory controls for non-registry installs, extending explicit allowlisting beyond the registry path. GitHub says the changes are meant to improve software supply chain security amid ongoing open-source ecosystem abuse, including activity attributed to TeamPCP.

Related Happenings

GitHub data exposed after GitHub breach

Data Leak
First: 20.05.2026 11:14 Last: 20.05.2026 11:14 Sources 1

About this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...

Open Happening

GitHub internal repositories private-code leak claim

Data Leak
First: 20.05.2026 08:08 Last: 20.05.2026 08:08 Sources 1

About this happening: GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...

Latest development: 21.05.2026 17:45

A malicious version of Nx Console 18.95.0 was uploaded to Visual Studio Marketplace and Open VSX on May 18, fetched an obfuscated payload, and harvested secrets from ~/.vault-token, /etc/vault/token, .npmrc, ghp_/gho_/ghs_ tokens, AWS metadata, and other local sources; GitHub said the poisoned VS Code extension led to unauthorized access to about 3800 internal repositories.

Open Happening

GitHub hit by network compromise

Incident
First: 20.05.2026 07:01 Last: 20.05.2026 07:01 Sources 1

About this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...

Latest development: 20.05.2026 13:45

GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.

Open Happening

Rwl.angular-console (Nx Console) hit by network compromise

Incident
First: 19.05.2026 10:49 Last: 19.05.2026 10:49 Sources 1

About this happening: The **Nx Console** extension **rwl.angular-console 18.95.0** was compromised on the **VS Code Marketplace**, exposing **developers** to a **credential-stealing** payload and suppl...

Open Happening

Actions-cool/issues-helper hit by network compromise

Incident
First: 19.05.2026 08:28 Last: 19.05.2026 08:28 Sources 1

About this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....

Open Happening

Timeline

  1. 23.09.2025 15:05 4 articles · 8mo ago

    GitHub announces npm publishing defenses

    Mitigation Patch Update

    GitHub announced a gradual rollout of npm publishing defenses in response to recent supply-chain attacks that began with compromised GitHub repositories and spread to NPM, including s1ngularity, GhostAction, and Shai-Hulud. The planned controls require two-factor authentication (2FA) for local publishing, enforce granular tokens with a 7-day lifetime, expand trusted publishing, deprecate classic tokens and TOTP 2FA in favor of FIDO-based 2FA, and remove the option to bypass 2FA for local publishing. NPM maintainers are urged to switch to trusted publishing, enforce 2FA for publishing and writing, and use WebAuth.

    Show sources
    Open in new tab