In the repository of npm included The use of mandatory two-factor authentication for accounts of the accompanying 500 most popular NPM packages. As a criterion for popularity, the number of dependent packages was used. Accompanying packages that are included in the list of packets will be able to carry out amendments to the repository operation only after inclusion of two -factor authentication, requiring confirming the entrance using disposable passwords (TOTP) generated by such as Authy, Google Authenticator, or hardware keys and biometric scanners, supporting the Webauth protocol.
This is the third stage of strengthening the protection of NPM from compromising accounts. At the first stage, all the NPM accounts were translated for which two-factor authentication was not included in the use of Extended verification accounts that requires entering a one -time code sent by email while trying to enter the NPMJS.com website or perform an authenticated operation in the NPM utility. At the second stage, the mandatory two -factor authentication was included for the 100 most popular packages.
Recall that in accordance with the study conducted in 2020, only 9.27% of the packages mayteners used two -factor authentication to protect access, and in 13.37% of cases, the developers tried to re -use compromised passwords in the well -known leaks of passwords when registering new accounts. In the course of checking the reliability of the passwords used, it was possible to access 12% of the accounts in NPM (13% of packages) due to the use of predictable and trivial passwords, such as “123456”. Among the problematic were 4 accounts of users from TOP20 of the most popular packages, 13 accounts, the packages of which were loaded more than 50 million times a month, 40 – more than 10 million downloads per month and 282 with more than 1 million downloads per month. Given the loading of the modules on the dependence chain, the compromise of unreliable accounts could hit in the amount of up to 52% of all modules in NPM.