VOOZH about

URL: https://thenewstack.io/almost-1-3-of-top-npm-accounts-arent-protected-with-2fa/

⇱ Almost 1/3 of Top npm Accounts Aren't Protected with 2FA - The New Stack


TNS
SUBSCRIBE
Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.
REQUIRED
It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.
The New Stack does not sell your information or share it with unaffiliated third parties. By continuing, you agree to our Terms of Use and Privacy Policy.
Welcome and thank you for joining The New Stack community!
Please answer a few simple questions to help us deliver the news and resources you are interested in.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Great to meet you!
Tell us a bit about your job so we can cover the topics you find most relevant.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Follow TNS on your favorite social media networks.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

PREV
1 of 2
NEXT
VOXPOP
As a JavaScript developer, what non-React tools do you use most often?
Angular
0%
Astro
0%
Svelte
0%
Vue.js
0%
Other
0%
I only use React
0%
I don't use JavaScript
0%
Thanks for your opinion! Subscribe below to get the final results, published exclusively in our TNS Update newsletter:
NEW! Try Stackie AI
From clobbered drafts to real-time sync
Apr 14th 2026 10:00am, by David Moore
TypeScript 6.0 RC arrives as a bridge to a faster future
Mar 14th 2026 9:00am, by Darryl K. Taft
Mastra empowers web devs to build AI agents in TypeScript
Jan 28th 2026 11:00am, by Loraine Lawson
2022-04-07 12:32:34
Almost 1/3 of Top npm Accounts Aren't Protected with 2FA
news,
Security / Software Development

Almost 1/3 of Top npm Accounts Aren’t Protected with 2FA

A recent study by Aqua Security's Team Nautilus found that 32% of the top 35 npm packages are at risk of account takeover because their dependencies’ owners haven't properly employed two-factor authentication (2FA).
Apr 7th, 2022 12:32pm by Steven J. Vaughan-Nichols
👁 Featued image for: Almost 1/3 of Top npm Accounts Aren’t Protected with 2FA
Featured image via Pixabay.

The npm JavaScript package manager and default package manager for the JavaScript runtime environment Node.js is insanely popular. It’s the largest software registry in the world. But its security has nothing to write home about. A recent study by Aqua Security‘s Team Nautilus found that 32% of the top 35 npm packages are at risk of account takeover because their dependencies’ owners haven’t properly employed two-factor authentication (2FA).

We need this like we need a hole in the head.

Hard to Secure

By its very nature, npm is a horror show to secure. Npm enables you to use external libraries and supports dependency management. Combined this makes it all too easy to call third-party libraries and dependencies for your project. In addition, while in theory npm packages include everything needed for their functionality all too often, many packages download additional resources upon installation. Sure, you checked the specific program for security problems but what about all its dependencies and its downloads?

Can you say “dependency hell?” I can.

A 2019 study found that on average, npm packages implicitly trust 79 third-party packages and 39 maintainers. Additionally, popular packages often influence over 100,000 other packages. This makes them prime attack targets.

Only 100 Projects

Now, npm finally adopted 2FA for its top 100 projects, but that’s nothing like enough. And remember all those dependencies? If only one of those is compromised, thousands of applications can be transformed into cryptominers. That’s not just an idle worry. It’s already happened. UA-Parser-JS, an npm package with millions of weekly downloads, which was briefly compromised with crypto mining and password-exfiltration malware.

Two-factor authentication is also planned for high-impact packages. That is, packages with more than 1 million weekly downloads or 500 dependencies. That’s a good start, but again, it’s not enough. All npm accounts need 2FA protection.

Minimize the Attack Surface

Now, 2FA isn’t perfect. Far from it! And, we also know that many developers hate using 2FA, but it’s so, so much better than the alternative.

Consider though if you were a hacker how much easier it would be to attack someone’s account who wasn’t using 2FA? Guess what? It turns out that, until recently, you could automatically find out whether someone had 2FA enabled. If your npm projects are widely used, you might as well put a target on your back.

So it is that Aqua Security strongly suggests as developers we minimize our attack surfaces and make account takeover more challenging for attackers. “Otherwise, the results can be damaging to the whole community.” In particular, “we strongly encourage developers who contribute to open source and create packages to enable 2FA on all their accounts.”

To that, I can only say, “Amen!”

TRENDING STORIES
Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting-edge PC operating system, 300bps was a fast internet connection, WordStar was the state-of-the-art word processor, and we liked it.
Read more from Steven J. Vaughan-Nichols
SHARE THIS STORY
TRENDING STORIES
Aqua Security is a sponsor of The New Stack.
TNS owner Insight Partners is an investor in: Aqua Security.
SHARE THIS STORY
TRENDING STORIES
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.
The New Stack does not sell your information or share it with unaffiliated third parties. By continuing, you agree to our Terms of Use and Privacy Policy.