npm enrolls Top 100 package maintainers into mandatory 2FA

The administrators of the Node Package Manager (npm), the largest package repository of the JavaScript ecosystem, said they enrolled the maintainers of the Top 100 most popular libraries (based on the number of dependencies) into their mandatory two-factor authentication (2FA) procedure.

npm, which is owned by GitHub, enforced this new security requirement starting yesterday, February 1, 2022.

"Maintainers who do not currently have 2FA enabled will have their web sessions revoked and will need to set up 2FA before they can take specific actions with their accounts, such as changing their email address or adding new maintainers to projects," the GitHub security team said in a blog post.

The move represents the second phase of a major push from the npm team to secure developer accounts, which have been getting hijacked in recent years and used to push malware inside legitimate JavaScript libraries.

In many cases, the accounts are hacked because project maintainers use simple-to-guess passwords or reused passwords that were previously leaked via breaches at other companies.

The first phase of this process took place between December 7, 2021, and January 4, 2022, when the npm team rolled out a new feature called "enhanced login verification" for all npm package maintainers.

This new feature works by sending account owners a one-time passcode via email to all npm package owners when they log into their accounts.

At the time, npm announced future plans to make 2FA mandatory for all users in the future. This process started this week with the owners of the Top 100 most popular packages based on dependencies and will continue later this year with the owners of the Top 500 packages as well.

GitHub also plans to add WebAuthn support for npm accounts to allow project maintainers to use security keys to authenticate on the site beyond the email and SMS 2FA options they have right now.