In an effort to help developers and organizations defend against software supply chain attacks, GitHub plans to require anyone who contributes code on the platform to use some form of multi-factor authentication by the end of next year.
The move is a continuation of the company’s recent initiative to encourage developers and package maintainers to protect their accounts with 2FA. Right now, only about 16.5 percent of GitHub users have enabled any form of 2FA, but GitHub officials have been working to increase 2FA adoption across its ecosystem in recent years. In February, the company announced that all of the maintainers of the 100 most popular npm packages were enrolled in mandatory 2FA, and the next month enrolled all npm maintainers in enhanced login verification. GitHub will extend the mandatory 2FA usage to the top 500 npm package maintainers by the end of May.
Last summer, GitHub began requiring a form of strong authentication for every Git operation on the platform and stopped accepting passwords for those operations. Now, the company is laying the groundwork to move the more than 80 million developers who contribute code to projects on the platform to 2FA. The change is meant as a strong line of defense against account takeovers, which can lead to attackers inserting malicious code into projects and cascading downstream effects.
Most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to. Compromised accounts can be used to steal private code or push malicious changes to that code,” said GitHub CSO Mike Hanley.
“This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.”
Attacks against the software supply chain have become a serious concern for enterprises, developers, and vendors, and a common tactic for threat actors looking to gain access to a broad swath of targets. The most prominent recent examples are the attack by APT29 on SolarWinds in December 2020 and the intrusion at Kaseya by REvil ransomware actors in July 2021. Both incidents had wide-ranging downstream effects on the affected companies’ customers and partners and took considerable time and resources to remediate. Last month, npm, a subsidiary of GitHub, was the target of an attack in which actors used stolen OAuth tokens for two third-party integrators and a stolen API key in order to access the npm infrastructure and download some private packages.
GitHub is not dictating which form of 2FA developers should use, but it has encouraged the use of hardware security keys and has already distributed them to the maintainers of critical open source packages.
“While we are investing deeply across our platform and the broader industry to improve the overall security of the software supply chain, the value of that investment is fundamentally limited if we do not address the ongoing risk of account compromise. Our response to this challenge continues today with our commitment to drive improved supply chain security through safe practices for individual developers,” Hanley said.