npm, the most widely used package manager in the JavaScript ecosystem, has implemented new security measures to curb supply chain attacks. It now requires two-factor verification to publish packages and allows restricting installations based on their origin or reputation. The measure aims to prevent attackers from introducing malicious code into popular components, a growing problem in software development.
How npm's new security filters work 🔒
Two-factor authentication (2FA) becomes mandatory for those publishing packages, reducing the risk of compromised accounts. Additionally, npm introduces options to limit installations to verified or reputable packages, using signatures and behavioral analysis. This allows developers to block suspicious dependencies before they reach production. The update also includes early warnings about packages with anomalous activity or recent changes in their maintainers.
Goodbye to installing packages like candy 🍬
Finally, npm is getting serious, just when many developers had already assumed that any package from GitHub was trustworthy. Now, installing that 5-star library but not updated since 2018 will require thinking twice. Of course, attackers are already updating their CVs to include 2FA on their fake accounts. Ironies of fate: now even hackers will have better security than your Netflix account.