Overview

• Publishing will be limited to local releases with required 2FA, seven‑day granular tokens, or OIDC‑based trusted publishing.
• GitHub will deprecate classic tokens and TOTP 2FA, shift users to FIDO/WebAuthn, disallow tokens by default for publishing, remove 2FA bypass, and expand trusted‑publishing providers.
• More than 500 tainted packages were removed from the registry, and uploads matching the malware’s indicators are now blocked.
• The Shai‑Hulud worm used compromised maintainer accounts to inject post‑install code that stole secrets and replicated across packages.
• Security firm Socket also flagged a malicious package, fezbox, that hid a payload in a QR code to harvest credentials before being pulled from npm.