{"id":215269,"date":"2026-02-13T05:45:00","date_gmt":"2026-02-13T10:45:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/13\/npms-update-to-harden-their-supply-chain-and-points-to-consider\/"},"modified":"2026-02-19T09:25:09","modified_gmt":"2026-02-19T14:25:09","slug":"npms-update-to-harden-their-supply-chain-and-points-to-consider","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/13\/npms-update-to-harden-their-supply-chain-and-points-to-consider\/","title":{"rendered":"npm\u2019s Update to Harden Their Supply Chain, and Points to Consider"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/npms-update-to-harden-their-supply.html\">npm\u2019s Update to Harden Their Supply Chain, and Points to Consider<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/npms-update-to-harden-their-supply.html\">https:\/\/thehackernews.com\/2026\/02\/npms-update-to-harden-their-supply.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-13 05:45:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">The Hacker News<\/span>\ue802<span class=\"author\">Feb 13, 2026<\/span><\/span><span class=\"p-tags\">Supply Chain Security \/ DevSecOps<\/span><\/p>\n<p>In December 2025, in response to the Sha1-Hulud incident, npm completed a major authentication overhaul intended to reduce supply-chain attacks. While the overhaul is a solid step forward, the changes don\u2019t make npm projects immune from supply-chain attacks. npm is still susceptible to malware attacks \u2013 here\u2019s what you need to know for a safer Node community.<\/p>\n<h2 style=\"text-align: left;\"><strong>Let\u2019s start with the original problem<\/strong><\/h2>\n<p>Historically, npm relied on classic tokens: long-lived, broadly scoped credentials that could persist indefinitely. If stolen, attackers could directly publish malicious versions to the author\u2019s packages (no publicly verifiable source code needed). This made npm a prime vector for supply-chain attacks. Over time, numerous real-world incidents demonstrated this point. Shai-Hulud, Sha1-Hulud, and chalk\/debug are examples of recent, notable attacks.<\/p>\n<h2 style=\"text-align: left;\"><strong>npm\u2019s solution<\/strong><\/h2>\n<p>To address this, npm made the following changes:<\/p>\n<ol>\n<li>npm revoked all classic tokens and defaulted to session-based tokens instead. The npm team also improved token management. Interactive workflows now use short-lived session tokens (typically two hours) obtained via npm login, which defaults to MFA for publishing.\u00a0<\/li>\n<li>The npm team also encourages OIDC Trusted Publishing, in which CI systems obtain short-lived, per-run credentials rather than storing secrets at rest.<\/li>\n<\/ol>\n<p>In combination, these practices improve security. They ensure credentials expire quickly and require a second factor during sensitive operations.<\/p>\n<h2 style=\"text-align: left;\"><strong>Two important issues remain<\/strong><\/h2>\n<p>First, people need to remember that the original attack on tools like ChalkJS was a successful MFA phishing attempt on npm\u2019s console. If you look at the original email attached below, you can see it was an MFA-focused phishing email (nothing like trying to do the right thing and still getting burned). The campaign tricked the maintainer into sharing both the user login and one-time password. This&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/npms-update-to-harden-their-supply.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>npm\u2019s Update to Harden Their Supply Chain, and Points to Consider https:\/\/thehackernews.com\/2026\/02\/npms-update-to-harden-their-supply.html Publish Date: 2026-02-13&#8230;<\/p>\n","protected":false},"author":1,"featured_media":215270,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg2f7TicFSKUe4LQJy82mhhepyMplbLHU-VNYpY_gxLvTILbFCviVqGKP4thBHnPvHWaw1EdFBuqDcDePYX1Z76KaB2j0pC8rWGM4eyu8tNLDcy0HChASJSx2zZufWVktAvzIR2yAJGDC0eIpVPV5u5OaAJsYohGS77dRTUcm_q3kl3D-N5hhCJ6XWxz-w\/s1600\/npm-security.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[35,32,25],"class_list":["post-215269","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-hacker","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/215269"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=215269"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/215269\/revisions"}],"predecessor-version":[{"id":215271,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/215269\/revisions\/215271"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/215270"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=215269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=215269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=215269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}