Only 9.27% of all npm developers use 2FA

Two-factor authentication not widely adopted on npm, the de-facto JavaScript package manager, and the largest package repository on the internet.
Written by Catalin Cimpanu, Contributor
Image: npm

Only 9.27% of all maintainers of npm JavaScript libraries use two-factor authentication to protect their accounts.

The number is incredibly low and a major issue of concern for the npm security team, who'd like to see this figure grow in the coming year.

Npm, which stands for Node Package Manager, is one of the many package (library) management systems for the JavaScript ecosystem.

Npm is a company, a web portal listing all JavaScript libraries, and a command-line tool for importing those libraries in a JavaSript project, may it be a desktop, mobile, web, or server-side app.

Today, npm is, by far, the largest JavaScript package manager in the JavaScript ecosystem, but also the largest package repository for any programming language, with more than 350,000 indexed libraries.

This has made npm a prime target for supply-chain attacks, scenarios where hackers breach a developer's npm account in order to insert malicious code inside their libraries. Such incidents have happened in the past years, including 2019.

  • June 2019 - a hacker backedoored the electron-native-notify library to insert malicious code that reached the Agama cryptocurrency wallet.
  • November 2018 - a hacker backdoored the event-stream npm package to load malicious code inside the BitPay Copay desktop and mobile wallet apps, and steal cryptocurrency.
  • July 2018 - a hacker compromised the ESLint library with malicious code that was designed to steal the npm credentials of other developers.
  • May 2018 - a hacker tried to hide a backdoor in a popular npm package named getcookies.

Academic research published last year showed that most of the npm packages are intertwined with one another, and that hacking 20 high-profile developer accounts could allow a threat actor to plant malicious code that gets used by half of the entire npm ecosystem.

As such, securing the accounts of npm library owners should be a top priority going forward.

The 9.27% figure is pretty low, and the npm team should take a page out of Mozilla's book, the company behind the Firefox browser.

Last month, Mozilla announced that starting with January 2020, all developers of Firefox browser extensions must enable 2FA for their accounts in order to update their extensions going forward.

Other security-related stats from the npm security team [source]:

  • Number of npm tokens revoked erroneously published to either the registry or to GitHub: 737
  • Total security advisories in the npm database: 1,285
  • Security advisories created in 2019: 595
  • Percentage of new account passwords improved by rejecting reused passwords compromised in previous breaches: 13.37
  • Number, in millions, of run-time reports generated by our behavioral analysis API: 1.4

What's in a name? These DevOps tools come with strange backstories

Editorial standards