ADVERTISEMENT

CISA, GitHub take action after massive NPM supply chain compromise

After a massive supply-chain compromise of over 500 NPM packages, the US cybersecurity watchdog has released an alert urging organizations to check for potential malicious leftovers and compromised credentials. GitHub is enforcing stricter authentication for publishing packages.

npm package compromise

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Sep 24, 2025 3 min read
  • Conduct a dependency review of all software leveraging the npm package ecosystem. The organizations are urged to check for “package-lock.json” or “yarn.lock” files to identify affected packages, including those nested in dependency trees
  • Search for cached versions of affected dependencies in artifact repositories and dependency management tools
  • Pin npm package dependency versions to known safe releases produced prior to September 16th, 2025
  • Immediately rotate all developer credentials
  • Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms like GitHub and NPM
  • Monitor for anomalous network behavior. CISA suggests blocking outbound connections to the “webhook.site”, which was used for exfiltration, domains, and monitoring firewall logs for connections to suspicious domains
  • Harden GitHub security by removing unnecessary GitHub Apps and OAuth applications, and auditing repository webhooks and secrets
  • Enable branch protection rules, GitHub Secret Scanning alerts, and Dependabot security updates
Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Add us as your Preferred Source on Google.

GitHub enforces stricter authentication

ADVERTISEMENT
  • Two-factor authentication (2FA) will be required for local publishing.
  • The lifetime of Granular tokens will be limited to seven days
  • A shift to trusted publishing, which is a new authentication method replacing long-lived API keys or passwords with short-lived identity tokens.

ADVERTISEMENT