npm enforces staged package publishing with 2FA approval and install source controls
Summary
Hide ▲
Show ▼
npm introduced staged publishing requiring maintainers to approve package releases via two-factor authentication (2FA) before they become publicly available, providing proof of presence for every publish including CI/CD and OIDC workflows. Additionally, npm added three new install source flags (--allow-file, --allow-remote, --allow-directory) to explicitly control non-registry install sources, replacing the single -allow-git flag. These measures target ongoing supply chain attack campaigns, such as those attributed to TeamPCP, which have escalated in open-source ecosystems.
Timeline
-
23.05.2026 19:35 1 articles · 2h ago
npm enforces 2FA-gated staged publishing and expands install source controls
npm introduced staged publishing requiring maintainers to approve package releases via 2FA before publication. New install source flags (--allow-file, --allow-remote, --allow-directory) were added to control non-registry installations, replacing the -allow-git flag.
Show sources
- npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks — thehackernews.com — 23.05.2026 19:35
Information Snippets
-
Staged publishing mandates maintainers to approve package releases via 2FA before they become publicly available on npmjs.com.
First reported: 23.05.2026 19:351 source, 1 articleShow sources
- npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks — thehackernews.com — 23.05.2026 19:35
-
Staged publishing applies only to existing packages with publish access and 2FA enabled; new packages cannot use the feature.
First reported: 23.05.2026 19:351 source, 1 articleShow sources
- npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks — thehackernews.com — 23.05.2026 19:35
-
The npm CLI version 11.15.0 or newer is required to use the npm stage publish command to submit packages to the staging queue.
First reported: 23.05.2026 19:351 source, 1 articleShow sources
- npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks — thehackernews.com — 23.05.2026 19:35
-
GitHub recommends pairing staged publishing with trusted publishing via OpenID Connect (OIDC) for optimal protection.
First reported: 23.05.2026 19:351 source, 1 articleShow sources
- npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks — thehackernews.com — 23.05.2026 19:35
-
New install source flags (--allow-file, --allow-remote, --allow-directory) replace the -allow-git flag to control non-registry install sources.
First reported: 23.05.2026 19:351 source, 1 articleShow sources
- npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks — thehackernews.com — 23.05.2026 19:35
-
TeamPCP has been observed engaging in large-scale package poisoning attacks in open-source ecosystems, driving the urgency for these controls.
First reported: 23.05.2026 19:351 source, 1 articleShow sources
- npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks — thehackernews.com — 23.05.2026 19:35