Full Report
In December 2025, in response to the Sha1-Hulud incident, npm completed a major authentication overhaul intended to reduce supply-chain attacks. While the overhaul is a solid step forward, the changes don’t make npm projects immune from supply-chain attacks. npm is still susceptible to malware attacks – here’s what you need to know for a safer Node community. Let’s start with the original
Analysis Summary
# Best Practices: npm Supply Chain Hardening
## Overview
These practices address the residual risks in the npm ecosystem following the December 2025 authentication overhaul. While npm has moved away from "classic tokens," vulnerabilities such as MFA-focused phishing, optional MFA bypasses for custom tokens, and credential theft remain. These guidelines focus on transitioning from static secrets to identity-based publishing and hardening developer accounts.
## Key Recommendations
### Immediate Actions
1. **Revoke Classic Tokens:** Ensure all legacy "classic" tokens are revoked and replaced with session-based or granular tokens.
2. **Enable MFA on Publish:** Manually toggle the "MFA on publish" setting for all sensitive packages, as this is currently optional for some accounts.
3. **Audit Team Permissions:** Remove any developers who do not require publish access from the organization’s npm dashboard to reduce the attack surface.
### Short-term Improvements (1-3 months)
1. **Transition to OIDC (Trusted Publishing):** Replace stored repository secrets (e.g., GitHub Secrets) with OpenID Connect (OIDC). This allows CI/CD systems to request short-lived, per-run tokens that do not require at-rest storage.
2. **Eliminate MFA Bypass Tokens:** Audit existing tokens for any 90-day expiration windows that have "MFA bypass" enabled. Replace these with short-lived session tokens.
3. **Implement Hardware Security Keys:** Encourage maintainers to use FIDO2/WebAuthn hardware keys (like Yubikeys) for MFA to prevent the MFA phishing described in the ChalkJS incident.
### Long-term Strategy (3+ months)
1. **Zero Trust for CI/CD:** Move toward a model where no human has permanent publish rights; all package releases must occur through verified, OIDC-authenticated CI pipelines.
2. **Quantum-Safe Planning:** Begin evaluating the impact of post-quantum cryptography (PQC) on signing and internal registry encryption protocols.
3. **Automated Dependency Monitoring:** Use tools to monitor package metadata for suspicious version jumps or unverified source code uploads.
## Implementation Guidance
### For Small Organizations
- Focus on enabling MFA for all individual developer accounts.
- Use the `npm login` interactive workflow to ensure session-based tokens (2-hour lifespan) are the default for local work.
### For Medium Organizations
- Enforce the "MFA on publish" requirement at the organization level.
- Migrate the most critical internal packages to OIDC-based publishing via GitHub Actions or GitLab CI.
### For Large Enterprises
- Mandate Trusted Publishing across all repositories to eliminate the need for long-lived secrets.
- Integrate Zero Trust Network Access (ZTNA) solutions to ensure that `npm login` attempts originate from managed devices.
- Replace legacy firewalls/VPNs with identity-based access to internal registries to stop lateral movement.
## Configuration Examples
### GitHub Actions OIDC Configuration
Instead of using an `NPM_TOKEN` secret, configure the workflow permissions to request an ID token:
yaml
permissions:
id-token: write
contents: read
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20.x'
registry-url: 'https://registry.npmjs.org'
- run: npm publish --provenance --access public
*(Note: `--provenance` links the package to the specific CI run, increasing transparency.)*
## Compliance Alignment
- **NIST SP 800-161:** Supply Chain Risk Management (SCRM) practices.
- **CIS Controls (Control 6):** Access Control Management – emphasizing MFA and short-lived credentials.
- **SSDF (Secure Software Development Framework):** Aligns with "Protect Software" tasks by securing the distribution channel.
## Common Pitfalls to Avoid
- **Legacy Phishability:** Relying on SMS or TOTP (authenticator apps) which are susceptible to the specific phishing campaigns mentioned (Sha1-Hulud).
- **The "Optional" Trap:** Assuming that npm’s overhaul automatically secured your account; "MFA on publish" and "OIDC" must be actively configured.
- **Token Overstay:** Creating custom 90-day tokens for "convenience" effectively recreates the insecure "classic token" environment.
## Resources
- **npm Documentation (Defanged):** hxxps[://]docs[.]npmjs[.]com/generating-tokens
- **GitHub OIDC Guide (Defanged):** hxxps[://]docs[.]github[.]com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
- **Zscaler Zero Trust + AI:** hxxps[://]thehackernews[.]uk/modern-sec-transform