GitHub is introducing a set of defenses against supply-chain attacks on the platform that led to multiple large-scale incidents recently.
Notable cyberattacks that started from compromising GitHub repositories and then spread to NPM include the "s1ngularity" attack in late August, the "GhostAction" campaign in early September, and the worm-style campaign dubbed "Shai-Hulud" from last week.
The attacks led to the compromise of thousands of accounts and private repositories, the theft of sensitive data, and significant remediation costs.
Although GitHub responded quickly to minimize the impact of these incidents, the developer platform admits that stronger proactive measures would be more effective.
To reduce these risks, GitHub announced that it would gradually implement the following measures:
Require two-factor authentication (2FA) for local publishing.
Enforce granular tokens with a 7-day lifetime.
Expand and encourage the adoption of trusted publishing.
Deprecate classic tokens and TOTP 2FA (migrating to FIDO-based 2FA).
Shorten the expiration of publishing tokens.
... continue reading