GitHub has improved security by using a new icon on GitHub Actions to mark npm packages with their source and a corresponding link.
But while developers can find the right npm package as they move forward, they don’t know if it’s built from source code. By introducing provenance, npm packages can be verified for traceability.
As for GitHub’s motivation for this tweak, the official press release that attackers have been attacking popular npm packages such as UAParser.js, Command-Option-Argument, and RC for the past few years.
These attacks do not directly corrupt the source code, but developers who use modified packages that contain malicious intent may affect projects and consumers.