GitHub Announces New Security Updates to Block NPM Supply Chain Attacks

GitHub has announced a series of security updates this week to counter supply chain attacks targeting the NPM ecosystem. As part of the effort, the company removed 500 malicious packages and blocked others carrying indicators of compromise.

The NPM ecosystem is a vast network of open-source JavaScript packages and tools managed through the Node Package Manager (NPM). It allows developers to easily share, install, and manage reusable code modules for building web applications, server-side software, and more. This ecosystem supports collaboration, speeds up development, and is deeply integrated into modern software workflows.

Microsoft’s GitHub detailed three key changes to strengthen security. The company plans to let the open source community publish packages locally with required two-factor authentication (2FA). GitHub will also require granular access tokens with a life span of only seven days, and encourage the use of its trusted publishing model.

“Trusted publishing is a recommended security capability by the OpenSSF Securing Software Repositories Working Group as it removes the need to securely manage an API token in the build system,” GitHub explained. “It was pioneered by PyPI in April 2023 as a way to get API tokens out of build pipelines. Since then, trusted publishing has been added to RubyGems (December 2023), crates.io (July 2025), npm (also July 2025), and most recently NuGet (September 2025), as well as other package repositories.”

Deprecation of legacy tokens and OTP methods

Additionally, GitHub will deprecate the use of legacy classic tokens and one-time passwords in favor of FIDO-based two-factor authentication (2FA). The company will also enforce 2FA for local publishing by default and expand eligible providers for trusted publishing.

GitHub advises NPM maintainers to use Trusted Publishing instead of using long-lived authentication tokens. It’s a more secure method that links publishing permissions directly to GitHub Actions or other CI/CD systems. It’s also recommended to enforce 2FA for anyone publishing packages to NPM, and use WebAuthn instead of TOTP when configuring 2FA.

Lastly, Microsoft will add a new billing enhancement for enterprise customers that will help to improve the precision of usage tracking. Starting on October 1, GitHub Enterprise Cloud will show metered usage per organization. Previously, usage was grouped under a generic label called “All other orgs.” Enterprise admins will be able to view the per-organization data in the billing dashboard, exported reports, and via the usage API.