Only 9.27% of all npm developers use 2FA
The number is incredibly low and a major issue of concern for the npm security team, who’d like to see this figure grow in the coming year.
This has made npm a prime target for supply-chain attacks, scenarios where hackers breach a developer’s npm account in order to insert malicious code inside their libraries. Such incidents have happened in the past years, including 2019.
- June 2019 – a hacker backedoored the electron-native-notify library to insert malicious code that reached the Agama cryptocurrency wallet.
- November 2018 – a hacker backdoored the event-stream npm package to load malicious code inside the BitPay Copay desktop and mobile wallet apps, and steal cryptocurrency.
- July 2018 – a hacker compromised the ESLint library with malicious code that was designed to steal the npm credentials of other developers.
- May 2018 – a hacker tried to hide a backdoor in a popular npm package named getcookies.
Academic research published last year showed that most of the npm packages are intertwined with one another, and that hacking 20 high-profile developer accounts could allow a threat actor to plant malicious code that gets used by half of the entire npm ecosystem.
As such, securing the accounts of npm library owners should be a top priority going forward.
The 9.27% figure is pretty low, and the npm team should take a page out of Mozilla’s book, the company behind the Firefox browser.
Last month, Mozilla announced that starting with January 2020, all developers of Firefox browser extensions must enable 2FA for their accounts in order to update their extensions going forward.
Other security-related stats from the npm security team [source]:
- Number of npm tokens revoked erroneously published to either the registry or to GitHub: 737
- Total security advisories in the npm database: 1,285
- Security advisories created in 2019: 595
- Percentage of new account passwords improved by rejecting reused passwords compromised in previous breaches: 13.37
- Number, in millions, of run-time reports generated by our behavioral analysis API: 1.4