At GitHub, we’re constantly striving to secure the supply chain with our products and features. Earlier this year, we announced a new authentication token format for GitHub, and we’re excited to share that npm access tokens will now follow the same format of GitHub authentication tokens.
Previously, the npm access tokens were created as a UUID pattern of 36 characters. This has its limitations, such as inaccurate detection of compromised npm tokens in packages and GitHub repositories.
Identifiable prefixes and higher entropy patterns
With the new pattern, access tokens now start with an identifiable prefix: npm
so it is easier to be indexed by features like GitHub secret scanning and npm’s internal secret scanners to provide higher security for your packages. Moreover, the delimiter following after is no longer a -
but an underscore _
which means that the full token can be selected when double-clicked (saving you 0.005 seconds 🎉 ).
Entropy is the logarithmic measure for information predictability. In the case of an access token, the higher the entropy, the better. By matching GitHub’s token format, our tokens are longer and have a larger alphabet. Because of this, we increased our entropy from 128 to 178!
The last six characters of the tokens consist of CRC32 checksum, which is encoded in our Base62 implementation to further eliminate false positives when scanning for leaked tokens.
Read more about the new format here.
What this means for you
We strongly encourage you to make the move toward the new format by resetting your existing access tokens. These improvements will help you mitigate any risk to compromised tokens as well as make our secret scanning detection more precise.
You can reset your personal access tokens by clicking on Access tokens
under your npm Profile
, deleting all of your old tokens, and creating new ones.
Thank you for helping us make npm more secure. ❤️
Tags:
Written by
Related posts
From object transition to RCE in the Chrome renderer
In this post, I’ll exploit CVE-2024-5830, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
Configure GitHub Artifact Attestations for secure cloud-native delivery
Introducing the generally available capability of GitHub Artifact Attestations to secure your cloud-native supply chain packages and images.
3 ways to get Remote Code Execution in Kafka UI
In this blog post, we’ll explain how we discovered three critical vulnerabilities in Kafka UI and how they can be exploited.