The software industry is facing an alarming rise in attacks targeting package registries, especially on platforms like npm. These incidents reveal the vulnerability of the open-source ecosystem, by allowing malicious actors to gain unauthorized access to maintainers' accounts and distribute harmful software through trusted packages.
Recently, the attack named 'Shai-Hulud' drew attention after being notified on September 14, 2025. This attack involved a self-replicating worm that infiltrated npm and added malicious scripts to popular JavaScript packages. However, the timely response from GitHub and the software maintainers mitigated greater damage to the system.
In response to these threats, GitHub has removed more than 500 compromised packages and has blocked the upload of new ones that showed traces of malware. These actions aim to stop the spread and strengthen the platform's security.
Security breaches not only affect trust in open source, but also compromise the integrity of the entire software supply chain. To face this challenge, it is essential to strengthen authentication methods and perfect secure publishing practices on npm.
GitHub plans to implement security improvements, including two-factor authentication for local publications and the use of short-lived tokens. Obsolete authentication methods will also be removed, and the use of tokens for posts will be restricted.
Este proceso se llevará a cabo de manera gradual, asegurando que los usuarios reciban el apoyo necesario. Además, se promueve la «publicación confiable» como medida de seguridad para evitar la gestión de tokens de API en sistemas de construcción.
Los mantenedores de npm juegan un papel crucial en el refuerzo de la seguridad del ecosistema. Se les insta a adoptar prácticas de publicación confiable y a fortalecer la autenticación en sus cuentas, contribuyendo así a un entorno más seguro. La comunidad, con su participación y vigilancia, es clave para asegurar un futuro más seguro en el software de código abierto.
