We’re sharing details of recent incidents on the npm registry, our investigations, and how we’re continuing to invest in the security of npm.

On September 28, 2021, we received notice from the developer Axosoft regarding a vulnerability in a dependency of their popular git GUI client – GitKraken. An underlying issue with a dependency, called `keypair`, resulted in the GitKraken client generating weak SSH keys.

Between July 21, 2021 and August 13, 2021 we received reports through one of our private security bug bounty programs from researchers regarding vulnerabilities in tar and @npmcli/arborist.

The benefits of multifactor authentication are widely documented, and there are a number of options for using 2FA on GitHub.

One month ago, we started a discussion with the community about proposed revisions to clarify GitHub’s policies on security research, malware, and exploits with the goal to enable, welcome, and encourage dual-use security research and

April 30, 2021 update: Thank you to everyone who’s weighed in on the discussion so far. I’ve commented in the pull request to clarify a few points based on initial feedback. Keep the comments coming.

Why did I get logged out of GitHub.com? On the evening of March 8, we invalidated all authenticated sessions on GitHub.com created prior to 12:03 UTC on March 8 out of an abundance of caution

The world runs on software, and a large portion of it, especially the open source software that’s part of everything we experience, is built by millions of developers on GitHub every day. GitHub is heavily