Trusted Publishing
-
Malicious Rust crates impersonating fast_log steal Solana and Ethereum wallet keys, researchers say
Cybersecurity researchers say two malicious Rust crates impersonating the fast_log logging library were used to harvest Solana and Ethereum wallet keys from source code, with Crates.io removing the packages and preserving logs for analysis after responsible disclosure.
-
GitHub outlines changes to harden npm after self-replicating worm incident
GitHub said a self-replicating “Shai-Hulud” worm compromised maintainer accounts and injected malicious post-install scripts into npm packages, and outlined changes including required 2FA, short-lived granular tokens and trusted publishing to harden npm’s supply chain.
-
GitHub Tightens npm Publishing Security with 2FA, Short-Lived Tokens and Trusted Publishing
GitHub announced a sweeping set of security measures for npm publishing, including deprecating legacy tokens, migrating to FIDO-based 2FA, and introducing seven-day, short-lived granular tokens plus trusted publishing that uses OpenID Connect and cryptographic provenance attestations to bolster npm’s supply-chain security.
