Security advice for users and maintainers to help reduce the impact of the next supply chain malware attack.

The GitHub Blog provides updates, announcements, and insights from the world's leading software development platform, covering topics such as new features, community highlights, and industry trends. Developers can learn about GitHub's latest developments, best practices for collaboration, and tips for maximizing productivity on the platform.

GitHub Blog

The Shai-Hulud malware campaign demonstrates evolving supply chain threats targeting JavaScript packages through compromised credentials and malicious lifecycle scripts. The attacks exploit trust boundaries in publication pipelines, using credential harvesting, install-time execution, and rapid iteration to spread across dependencies. GitHub is accelerating npm security features including bulk OIDC onboarding, expanded provider support, and staged publishing with MFA-verified approval. Key defenses include enabling phishing-resistant MFA, setting token expiration dates, auditing OAuth apps, and using sandboxed development environments.

Strengthening supply chain security: Preparing for the next malware campaign

Advice for GitHub and npm users and maintainers