GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security
GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security
23 September 2025
GitHub on Monday announced that it will be changing its authentication and publishing options "in the near future" in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack.
This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA),