Following a recent surge in phishing attacks targeting popular packages and the emergence of worms affecting NPM repository security, additional protective measures are being implemented. In response to these incidents, NPM has decided to enhance security by introducing the following measures:
- Two-factor authentication will be made mandatory for local package publication.
- Disposable passwords (TOTP) for two-factor authentication will be phased out in favor of transitioning users to the FIDO U2F protocol.
Classic tokens will be deprecated, and access using them will be disabled by default. - Implementing the “Trusted Publishers” mechanism, which relies on the OpenID Connect (OIDC) standard and authentication tokens with limited permissions.
This approach will be used to validate the operation of publishing a package instead of relying on conventional passwords or continuous API access.
/Reports, release notes, official announcements.