npm Enhances Supply Chain Security with Authentication Overhaul
Summary
Hide ▲
Show ▼
In December 2025, npm completed a major authentication overhaul to reduce supply-chain attacks following the Sha1-Hulud incident. The update includes revoking classic tokens and defaulting to session-based tokens, improving token management, and encouraging OIDC Trusted Publishing. However, risks remain due to optional MFA for publishing and potential MFA phishing attacks. The changes aim to mitigate attacks like those on ChalkJS, where MFA phishing led to malicious package uploads. Despite improvements, optional MFA and long-lived tokens still pose risks. Recommendations include enforcing MFA for local package uploads and adding metadata to package releases to enhance security.
Timeline
-
13.02.2026 12:45 1 articles · 12h ago
npm Completes Authentication Overhaul to Mitigate Supply-Chain Attacks
In December 2025, npm completed a major authentication overhaul to reduce supply-chain attacks. The update includes revoking classic tokens, defaulting to session-based tokens, and encouraging OIDC Trusted Publishing. Despite these improvements, risks remain due to optional MFA for publishing and potential MFA phishing attacks. Recommendations include enforcing MFA for local package uploads and adding metadata to package releases to enhance security.
Show sources
- npm’s Update to Harden Their Supply Chain, and Points to Consider — thehackernews.com — 13.02.2026 12:45
Information Snippets
-
npm revoked all classic tokens and defaulted to session-based tokens, which are short-lived and typically expire in two hours.
First reported: 13.02.2026 12:451 source, 1 articleShow sources
- npm’s Update to Harden Their Supply Chain, and Points to Consider — thehackernews.com — 13.02.2026 12:45
-
npm now defaults to MFA for publishing, but MFA on publish is optional, allowing developers to create 90-day tokens with MFA bypass enabled.
First reported: 13.02.2026 12:451 source, 1 articleShow sources
- npm’s Update to Harden Their Supply Chain, and Points to Consider — thehackernews.com — 13.02.2026 12:45
-
OIDC Trusted Publishing is encouraged, where CI systems obtain short-lived, per-run credentials instead of storing secrets at rest.
First reported: 13.02.2026 12:451 source, 1 articleShow sources
- npm’s Update to Harden Their Supply Chain, and Points to Consider — thehackernews.com — 13.02.2026 12:45
-
MFA phishing attacks remain a risk, as seen in the ChalkJS incident where a maintainer was tricked into sharing login credentials and a one-time password.
First reported: 13.02.2026 12:451 source, 1 articleShow sources
- npm’s Update to Harden Their Supply Chain, and Points to Consider — thehackernews.com — 13.02.2026 12:45
-
98.5% of malicious packages on npm had malware only in the published artifact, not in the upstream source code.
First reported: 13.02.2026 12:451 source, 1 articleShow sources
- npm’s Update to Harden Their Supply Chain, and Points to Consider — thehackernews.com — 13.02.2026 12:45