Securing Your npm and PyPI Packages Against Supply Chain Attacks: A Proactive Guide

Step 2: Restrict the Use of Automatic Approval for Third-Party Workflows

The original attack exploited maintainer fatigue by auto-approving workflows from forks. Prevent this by disabling the Auto-merge and Automatic approval features in your repository settings. Instead, require manual review for any workflow run that originates from a forked pull request. Navigate to Settings > Actions > General, and under Fork pull request workflows, select Require approval for first-time contributors. Additionally, enable Read and write permissions only for trusted contributors and reduce token scopes to the minimum necessary.

Step 3: Enforce Short-Lived Credentials with Strict Permissions

TeamPCP stole OIDC tokens by scraping them from the workflow environment. To mitigate this, ensure that all tokens (GitHub secrets, npm tokens, PyPI tokens) are short-lived and scoped exclusively to the required action. For npm, generate automation tokens with limited access (publish-only) and set their expiration to 24 hours or less. For PyPI, use API tokens instead of passwords, and configure them with minimal scopes. In your workflow YAML, define permissions at the job level to avoid exposing tokens across jobs. Example:

jobs:
  publish:
    permissions:
      contents: read
      packages: write
      id-token: write

Step 4: Implement Strict Branch Protection Rules

Attackers in the TeamPCP incident used pull_request_target to run code from malicious forks. Strengthen your branch protection rules for main or release branches. Go to Settings > Branches, add a rule, and enable Require pull request reviews (preferably from multiple maintainers). Also require status checks to pass before merging, and disable Allow force pushes and Allow deletions. This prevents unauthorized changes from being merged even if an attacker gains commit access.

Step 5: Rotate All Credentials Used in Release Pipelines

After auditing workflows, assume that any token used in the pipeline could have been exposed. Rotate all npm tokens, PyPI tokens, GitHub PATs, and OIDC configuration. For npm, delete old tokens via npm token delete <id> and create new ones. For PyPI, revoke existing API tokens and generate fresh ones. Update your GitHub secrets with these new values. Also, rotate any cloud credentials (AWS, Azure, GCP keys) referenced in workflows, as the malware was designed to steal those as well.

Step 6: Add Malware Detection and Integrity Checks in Your Pipeline

To catch malicious injections like Mini Shai-Hulud, integrate automated security scanning into your CI/CD pipeline. Use tools such as SafeDep, Aikido Security, or OSSGadget to scan for known malware signatures and suspicious code patterns. Add a step in your workflow that runs a dependency diff before publication. For example, use npm diff to compare the package before and after build, or pip freeze to check for unexpected dependencies. If any anomalies are detected, halt the release immediately.

Step 7: Monitor for Anomalous Activity in Package Registries

Set up monitoring alerts for your packages on npm and PyPI. Use webhooks or third-party services to notify you of any new releases, especially if multiple versions appear in a short time (as happened with the 373 package versions in the attack). For npm, you can enable Package notifications via email or Slack. For PyPI, use Twine with PyPI Security to monitor for unexpected publishes. Additionally, enable audit logs in GitHub to track changes to repository settings and workflow files.

Step 8: Educate Your Maintainers and Implement a Dead Man's Switch Response

The TeamPCP malware installed a “dead man’s switch” that deleted home directories if tokens were revoked. Prepare a response plan: if you suspect a token compromise, immediately revoke the token, but be aware that the malware may trigger destructive actions. To counter this, maintain isolated build environments (e.g., temporary Docker containers or ephemeral runners) that can be destroyed without affecting the developer’s local machine. Train maintainers to recognize phishing attempts and to never approve pull requests that modify workflow files without thorough review.

Step 9: Leverage Open Source Security Frameworks

Adopt frameworks like Supply-Chain Levels for Software Artifacts (SLSA) and OpenSSF Scorecard to formalize your security posture. SLSA provides a ladder of security levels; aim for Level 3 or higher, which requires verifiable provenance and no access to secrets from forks. Scorecard generates a badge for your repository, highlighting areas of weakness. Integrate these checks into your repository to continuously improve.

Tips for Long-Term Protection

• Use separate accounts for personal and package maintenance work – compartmentalize your GitHub and registry accounts, don’t reuse tokens.
• Employ code signing for your packages to ensure integrity; npm supports package signing with npm sign.
• Keep your CI/CD environment ephemeral – use GitHub-hosted runners or self-hosted runners that are destroyed after each job.
• Enable two-factor authentication (2FA) for all maintainer accounts on GitHub, npm, and PyPI.
• Regularly audit your repositories for unused workflows, stale secrets, and outdated dependencies – automation tools like Dependabot can help.
• Stay informed about emerging threats by subscribing to security advisories from npm, PyPI, and organizations like OSSF.
• Test your response plan with tabletop exercises simulating a supply chain attack; practice revoking tokens and reverting malicious releases.

By systematically applying these steps, you can significantly reduce the risk of falling victim to a supply chain attack like the one orchestrated by TeamPCP. The key is to treat every release pipeline as a potential vector and enforce strict, minimal permissions. Remember, security is not a one-time fix but an ongoing process – stay vigilant!