Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Technology

Npm Enrolls Top 100 Package Maintainers Into Mandatory 2FA (therecord.media) 42

The administrators of the Node Package Manager (npm), the largest package repository of the JavaScript ecosystem, said they enrolled the maintainers of the top 100 most popular libraries (based on the number of dependencies) into their mandatory two-factor authentication (2FA) procedure. From a report: npm, which is owned by GitHub, enforced this new security requirement starting yesterday, February 1, 2022. "Maintainers who do not currently have 2FA enabled will have their web sessions revoked and will need to set up 2FA before they can take specific actions with their accounts, such as changing their email address or adding new maintainers to projects," the GitHub security team said in a blog post. The move represents the second phase of a major push from the npm team to secure developer accounts, which have been getting hijacked in recent years and used to push malware inside legitimate JavaScript libraries. In many cases, the accounts are hacked because project maintainers use simple-to-guess passwords or reused passwords that were previously leaked via breaches at other companies. The first phase of this process took place between December 7, 2021, and January 4, 2022, when the npm team rolled out a new feature called "enhanced login verification" for all npm package maintainers.
This discussion has been archived. No new comments can be posted.

Npm Enrolls Top 100 Package Maintainers Into Mandatory 2FA

Comments Filter:
  • Yes 2FA works and is a lot more secure. Its also a giant pain in the backside.
    • It cant be working that well if I will not use a service that forces this on me.
    • Re:Sucks to be them (Score:4, Informative)

      by luvirini ( 753157 ) on Thursday February 03, 2022 @10:41AM (#62233789)

      Yes, if I was a top contributor I would likely log in once and set a message "This project is no longer maintained as NPM is making it too annoying to maintain"

    • Or you could use a strong password, without the additional pain.

    • How is

      oathtool -b --totp 'secret'

      a giant pain in the backside?
    • Yes 2FA works and is a lot more secure. Its also a giant pain in the backside.

      Really? That's where we're at, as a society, now? Tapping the authentication app on my smartphone and keying in 6 digits is a giant pain in the backside?

      "Maintainers who do not currently have 2FA enabled will have their web sessions revoked and will need to set up 2FA before they can take specific actions with their accounts, such as changing their email address or adding new maintainers to projects,"

      Specific actions... Not just doing normal crap.. You have to go 2FA before you change your email address or add a hacker to the project.

      If that's too much for someone to do, fuck them. They're lazy to the point of being dangerous.

      • Many of us have broken the chains of slavery to our phones. So 2fa via a device you don't want to be shackled to a pita.
        • Many of us have broken the chains of slavery to our phones. So 2fa via a device you don't want to be shackled to a pita.

          Fine.

          https://www.makeuseof.com/how-generate-2fa-codes-windows-10-google-authenticator/

          Just admit you're lazy to the point of being useless.

  • I welcome such restrictions.

    Can't tell you how many shit packages I have downloaded without having any meaningful control.

This restaurant was advertising breakfast any time. So I ordered french toast in the renaissance. - Steven Wright, comedian

Working...