Close Menu
geekfence.comgeekfence.com
    What's Hot

    I Use One UI 9 Daily – This Hidden Feature is a Game-changer

    July 6, 2026

    The Science Behind Why Soccer Players at the 2026 World Cup Are Cutting Their Socks

    July 6, 2026

    Expanding our Heat Resilience data to 50+ global cities

    July 6, 2026
    Facebook X (Twitter) Instagram
    • About Us
    • Contact Us
    Facebook Instagram
    geekfence.comgeekfence.com
    • Home
    • UK Tech News
    • AI
    • Big Data
    • Cyber Security
      • Cloud Computing
      • iOS Development
    • IoT
    • Mobile
    • Software
      • Software Development
      • Software Engineering
    • Technology
      • Green Technology
      • Nanotechnology
    • Telecom
    geekfence.comgeekfence.com
    Home»Cyber Security»npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks
    Cyber Security

    npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks

    AdminBy AdminMay 24, 2026No Comments2 Mins Read5 Views
    Facebook Twitter Pinterest LinkedIn Telegram Tumblr Email
    npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Ravie LakshmananMay 23, 2026Software Supply Chain / DevSecOps

    npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks

    GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for installation.

    Called staged publishing, the feature is now generally available on npm. It mandates that a human maintainer pass a two-factor authentication (2FA) challenge to approve a package before it is pushed to the npmjs[.]com.

    “Instead of a direct publish that immediately makes a package version available to consumers, the prebuilt tarball is uploaded to a stage queue where a maintainer must explicitly approve it before it becomes installable,” GitHub said.

    The Microsoft-owned subsidiary said the change ensures “proof of presence” for every publish, including those that come from non-interactive CI/CD workflows and trusted publishing with OpenID Connect (OIDC) authentication.

    Before using staged publishing, package maintainers have to meet the following criteria –

    • Have publish access to the package
    • Package already exists on the npm registry, meaning a brand new package cannot be staged
    • 2FA is enabled for the account

    Developers can use the command “npm stage publish” from the root directory of the package to submit it to a staging area. To use this command, it’s essential to update to npm CLI 11.15.0 or newer. For optimal protection, GitHub is recommending that staged publishing be paired with trusted publishing using OIDC.

    A second update focused on npm relates to the introduction of three new install source flags alongside the existing -allow-git flag –

    • –allow-file: Controls installs from local file paths and local tarballs
    • –allow-remote: Controls installs from remote URLs, including https tarballs
    • –allow-directory: Controls installs from local directories

    The flags allow developers to “apply the same explicit-allowlist approach to every non-registry install source,” GitHub said.

    The development comes amid a massive surge in software supply chain attacks targeting open-source ecosystems over the past few months, with one cybercriminal group known as TeamPCP poisoning popular packages at an unprecedented scale through a self-perpetuating cycle of compromises.



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

    July 5, 2026

    FBI Seizes NetNut Proxy Platform, Popa Botnet – Krebs on Security

    July 4, 2026

    This month in security with Tony Anscombe – June 2026 edition

    July 3, 2026

    Getty Scraps $3.7B Shutterstock Merger After UK Curbs

    July 2, 2026

    Findings Report from the SOC at RSAC 2026 Conference

    July 1, 2026

    USB drives carrying China-linked malware infected Japanese military networks for nearly a year

    June 30, 2026
    Top Posts

    Understanding U-Net Architecture in Deep Learning

    November 25, 202559 Views

    Hard-braking events as indicators of road segment crash risk

    January 14, 202631 Views

    Redefining AI efficiency with extreme compression

    March 25, 202628 Views
    Don't Miss

    I Use One UI 9 Daily – This Hidden Feature is a Game-changer

    July 6, 2026

    What’s the actual point of One UI 9? Before I installed the beta of Samsung’s…

    The Science Behind Why Soccer Players at the 2026 World Cup Are Cutting Their Socks

    July 6, 2026

    Expanding our Heat Resilience data to 50+ global cities

    July 6, 2026

    Fable 5 Returns, Sonnet 5 Gets Cheaper, But European Banks Still Can’t Deploy Either on Azure |

    July 6, 2026
    Stay In Touch
    • Facebook
    • Instagram
    About Us

    At GeekFence, we are a team of tech-enthusiasts, industry watchers and content creators who believe that technology isn’t just about gadgets—it’s about how innovation transforms our lives, work and society. We’ve come together to build a place where readers, thinkers and industry insiders can converge to explore what’s next in tech.

    Our Picks

    I Use One UI 9 Daily – This Hidden Feature is a Game-changer

    July 6, 2026

    The Science Behind Why Soccer Players at the 2026 World Cup Are Cutting Their Socks

    July 6, 2026

    Subscribe to Updates

    Please enable JavaScript in your browser to complete this form.
    Loading
    • About Us
    • Contact Us
    • Disclaimer
    • Privacy Policy
    • Terms and Conditions
    © 2026 Geekfence.All Rigt Reserved.

    Type above and press Enter to search. Press Esc to cancel.