CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GitHub Strengthens npm Supply Chain Security with 2FA and Short-Lived Tokens

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

GitHub is implementing enhanced security measures to protect the npm ecosystem, including mandatory two-factor authentication (2FA) and short-lived tokens. These changes aim to mitigate supply chain attacks, such as the recent "s1ngularity", "GhostAction", and "Shai-Hulud" attacks, which involved a self-replicating worm and compromised thousands of accounts and private repositories. The measures include granular tokens with a seven-day expiration, trusted publishing using OpenID Connect (OIDC), and automatic generation of provenance attestations for packages. Additionally, GitHub is deprecating legacy tokens and TOTP 2FA, expanding trusted publishing options, and gradually rolling out these changes to minimize disruption. GitHub removed over 500 compromised packages and blocked new packages containing the Shai-Hulud malware's indicators of compromise. The company encourages NPM maintainers to use NPM-trusted publishing and strengthen publishing settings to require 2FA. Ruby Central is also tightening governance of the RubyGems package manager to improve supply-chain protections.

Timeline

  1. 23.09.2025 15:05 2 articles · 9d ago

    Ruby Central Tightens Governance of RubyGems Package Manager

    Ruby Central is tightening governance of the RubyGems package manager to improve supply-chain protections. Only Ruby Central staff will hold admin access until new policies are finalized, aiming to enhance security and transparency.

    Show sources
    Open in new tab
  2. 23.09.2025 12:20 3 articles · 9d ago

    GitHub Announces Enhanced Security Measures for npm Ecosystem

    GitHub has removed over 500 compromised packages and blocked new packages containing the Shai-Hulud malware's indicators of compromise. The company will gradually roll out security changes, including mandatory 2FA, short-lived tokens, and trusted publishing using OIDC. GitHub encourages NPM maintainers to use NPM-trusted publishing and strengthen publishing settings to require 2FA. The company will provide future updates with clear timelines, documentation, migration guides, and support channels to assist with the transition.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious 'postmark-mcp' npm package exfiltrated user emails

An unofficial npm package named 'postmark-mcp' silently stole users' emails after a malicious update. The package, which mimicked the official 'postmark-mcp' project, added a line of code in version 1.0.16 to exfiltrate email communications to an external address. The malicious version was available for a week and recorded around 1,643 downloads, potentially exposing sensitive information. The package was used to interface AI assistants with the Postmark email delivery platform, allowing them to send emails on behalf of users or apps. The malicious functionality could have exposed personal communications, password reset requests, two-factor authentication codes, financial information, and customer details. Users who downloaded the package are advised to remove it immediately, rotate potentially exposed credentials, and audit all MCP servers in use. The malicious package was deleted by the developer 'phanpak' after being contacted, who maintains 31 other packages on npm. Researchers at Koi Security discovered the malicious package, which contained a single line of code that BCC'd all emails to the threat actor. The risk could be widespread, with some 1,500 organizations potentially downloading the malicious package. The developer removed the malicious package from npm after being contacted by Koi Security.

Open in new tab

Microsoft 365 Becomes Prime Target for Cybercriminals

Microsoft 365 has emerged as a primary target for cybercriminals due to its widespread adoption and integrated suite of applications. With over 400 million paid seats, the platform's dominance in email and collaboration services makes it an attractive target. Attackers exploit the interconnected nature of Microsoft 365 services, using vulnerabilities in one application to gain access to others. Recent vulnerabilities in SharePoint highlight the cascading risks associated with compromising a single service within the ecosystem. Backup systems often fail to adequately protect against sophisticated attacks, potentially reintroducing threats during recovery. Organizations must implement robust security measures, including zero-trust architecture and advanced threat protection, to mitigate these risks.

Open in new tab

Secure by Design principles applied to IT infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) has released the Secure by Design framework, emphasizing the importance of integrating security into every stage of IT infrastructure development and maintenance. This approach aims to address the increasing complexity and vulnerability of hybrid and cloud environments, which have become prime targets for cyberattacks. The framework advocates for a proactive, flexible, and continuous security management process, moving away from traditional, reactive measures. It highlights the need for collaboration across all enterprise functions to embed security at every step of infrastructure building, provisioning, operation, and maintenance. The Secure by Design framework is designed to help organizations close security gaps, reduce exposure to cyber threats, and ensure that security is not an afterthought but a fundamental part of IT infrastructure.

Open in new tab

GhostAction GitHub supply chain attack steals 3,325 secrets

The GhostAction supply chain attack compromised 3,325 secrets from GitHub repositories. The attack, discovered by GitGuardian on September 2, 2025, involved malicious commits to GitHub Actions workflows that exfiltrated secrets to an external domain. The first signs of compromise were detected in the FastUUID project. The attack affected at least 817 repositories and targeted multiple package ecosystems, including PyPI, npm, DockerHub, and AWS keys. The exfiltration endpoint was taken down shortly after the campaign's discovery. The compromised secrets included PyPI tokens, npm tokens, DockerHub tokens, GitHub tokens, Cloudflare API tokens, AWS access keys, and database credentials. The attack impacted at least nine npm and 15 PyPI packages, potentially allowing for the release of malicious or trojanized versions. The Python Software Foundation invalidated all PyPI tokens stolen in the attack, confirming that the threat actors did not abuse them to publish malware. GitGuardian notified the security teams of GitHub, npm, and PyPI and opened issues in 573 impacted repositories. A hundred repositories had already detected and reverted the malicious changes before the full scope of the campaign was uncovered. GitGuardian notified PyPI on September 5, 2025, but the email ended up in the spam folder, delaying the response until September 10, 2025. PyPI advised maintainers to replace long-lived tokens with short-lived Trusted Publishers tokens and review their security history for any suspicious activity.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS). The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake GitHub repositories. These repositories impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

Open in new tab