npm adds two-factor auth, security tokens in wake of JS typo attack
Let's make sure that code you're pulling in is legit code, not some scumbag's library
Code registry npm, home to some 550,000 Node.js packages and millions of users, on Wednesday added support for two-factor authentication (2FA) and read-only authentication tokens in an effort to shore up its defenses.
Software registries, which store modules required by modern apps, have attracted the attention of malware makers as a relatively undefended path for distributing compromised code.
Following an academic research project last year that demonstrated the possibility of typosquatting popular software packages on registries like Python's PyPI, Node.JS's npm and Ruby's gem, both npm and PyPI this year had to deal with real typosquatting attacks.
npm has added support for 2FA through via authentication apps such as Google Authenticator or Authy. These apps generate a time-based one-time password that must be entered when signing into an npm account, in addition to the account password.
"2FA is another layer of defense for your account, preventing third parties from altering your code even if they steal or guess your credentials," npm said through its blog. "This is one of the easiest and most important ways to ensure that only you can access to your npm account."
Enabling 2FA presently must be done via the command line:
npm profile enable-tfa.
It's not a defense against a typosquatting – that would involve checking for package name similarities – but it does provide greater protection for package contributors, whose accounts have value to malware distributors in proportion to the popularity of associated packages. Effort to hijack developer accounts may be rare but they're not unheard of.
npm has supported authentication tokens that connect npm accounts to continuous integration (CI) tools like Travis CI for several years. As of Wednesday, it added support for read-only tokens, which can be used to configure CI tools so they can download private modules but not publish or alter them. This can mitigate the potential for damage if a token gets leaked through a CI system.
Read-only tokens provide a way to limit use to specific network addresses, a common requirement for enterprise security.
npm has made token management accessible through the command line, so users can create, delete, and list tokens without resorting to the web account interface.
The new security features, along with other tweaks like command line editing of npm profile info, can be had in npm v5.5.0, via the command:
npm install -g npm@latest ®