The npm blog has been discontinued.
Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.
Over the last few days we’ve been resetting the passwords for more than a thousand users and sending email informing them of the reset. Here is some detail about why we’re doing this.
We often revoke npm credentials leaked through testing service logs or that were accidentally checked into GitHub. Accidentally leaking environment variables like npm auth tokens in CI logs is a common mistake! We also have reset passwords for users who were found to have used common or weak passwords for their npm accounts, such as their username or the string
In this case, however, passwords for a number of users were available online, accessible via Google search. These passwords were made public through security breaches of other sites, and, unfortunately, the owners of some hacked accounts re-used the passwords for their npm accounts. This was discovered by an independent security researcher, who informed us of his discovery and set a short deadline for action on our part before he contacted you himself.
We have reset the passwords and revoked all extant auth tokens for the users whose passwords were publicly available.
To our knowledge, at no time has npm’s account information been accessed inappropriately. In all of these cases, the credentials were leaked either by the npm users themselves accidentally, or in breaches of other sites.
Here are the steps we’ve taken to help protect you from problems like this:
- We’ve implemented stricter password requirements. You can no longer use your own username or words from a list of the most commonly-used passwords.
- We have added additional monitoring and abuse defense on sensitive endpoints, such as the login endpoint, to make dictionary attacks on logins infeasible and detectable.
- We continue to work with Lift Security to audit our services and run penetration tests.
- Leaks are rare, but unavoidable at scale. We will continue to work with white-hat security researchers perform routine scans of this nature, and preemptively protect our community from account leakage.
Here’s how you can protect yourself from credential leaks like this:
- Don’t re-use passwords. Generate a unique password for every site you make an account for.
- Create random passwords using a password manager and have the password manager keep track of them for you.
- Don’t make secret tokens visible in logs when you set up CI services.
- Double-check before you commit configuration files to git. This is a mistake most of us will make at some point, even if we’re careful, so be ready to clean up afterward by changing your passwords.
- Look up your email address on sites like Have I Been Pwned? to see if your credentials have already been leaked online. If they have been leaked, change any passwords you might have re-used.
- Please don’t re-use passwords. Yes, I am repeating this advice. If you re-use passwords, the security of all of your accounts will depend on the practices of the least secure site you visit.