The 2FA policy, intended to protect against account takeovers, will be put in place starting with a cohort of top packages in the first quarter of 2022, GitHub said in a bulletin published on November 15. GitHub became stewards of the registry after acquiring NPM in 2020.
GitHub periodically sees incidents on the registry where NPM accounts are compromised by malicious actors and then used to insert malicious code into popular packages where the accounts have access. GitHub cited two incidents prompting tighter security:
@owner/packagefor private packages created before October 20 were exposed for a time between October 21 and October 29, when work began on a fix and on determining the scope of the exposure. All records containing private package names were removed from the
replicate.npmjs.comservice on this date. Changes have been made to prevent the issue from happening again.