github announced about inclusion In the NPM repository mandatory two-factor authentication for 100 NPM packets having the greatest number of dependencies. The accompanying packet data can be performed by the authentication of the operation with the repository only after switching on two-factor authentication that requires the entry confirmation using disposable passwords (TOTP) generated by applications such as Authy, Google Authenticator and Freeotp. In the near future, in addition to TOTP, you plan to add the possibility of using hardware keys and biometric scanners supporting the Protocol WebAuth .
On March 1, the translation of all NPM accounts are scheduled for which two-factor authentication is not enabled, to use Advanced verification Accounting records that require a disposable code sent to Email when you try to log in to NPMJS.com or perform an authenticated operation in the NPM utility.
When you turn on two-factor authentication, extended email verification is not applicable. On February 16 and 13, a trial temporary launch of advanced verification will be carried out for all accounts.
Recall that in accordance with the study conducted in 2020, only 9.27% of the maintenance agents were used to protect two-factor authentication to protect access, and at 13.37% of cases, when registering new accounts, developers tried to reuse compromised passwords that appear in well-known password leaks. During the verification of the reliability of the passwords used, it was possible to access 12% of the accounts in NPM (13% of packages) due to the use of predictable and trivial passwords, such as “123456”. There were 4 user accounts from the Top20 most popular packages, 13 accounts, whose packages were loaded more than 50 million times a month, 40 – more than 10 million downloads per month and 282 with more than 1 million downloads per month. Taking into account the loading of modules on the dependency chain, the compromise of unreliable accounts could strike in the amount of up to 52% of all modules in NPM.