GitHub npm GAT publish-token mitigation guidance
Advisory/Mitigation
Summary
Hide ▲
Show ▼
GitHub is steering npm users away from long-lived publish tokens as npm GATs that bypass 2FA lose direct publishing and sensitive-management abilities. The recommended path is to move automated releases to trusted publishing (OIDC) or staged publishing with human approval. GitHub says the changes begin in early August 2026 and continue with a second phase in January 2027, leaving a short window to migrate publishing workflows.
Related Happenings
GitHub npm version 12 hardens installs and token management
Security Tool/Service
H score11
First: 09.07.2026 19:49
Last: 09.07.2026 19:49
Sources 1
How related:
GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA).
About this happening:
**GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
GitHub npm version 12 hardens installs and token management
Security Tool/ServiceHow related: GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA).
About this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
GitHub Agentic Workflows indirect prompt injection security flaw
Vulnerability
H score27
First: 07.07.2026 17:04
Last: 07.07.2026 17:04
Sources 1
About this happening:
**GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
GitHub Agentic Workflows indirect prompt injection security flaw
VulnerabilityAbout this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware Activity
H score36
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware ActivityAbout this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/Service
H score11
First: 23.06.2026 17:22
Last: 23.06.2026 17:22
Sources 1
About this happening:
GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/ServiceAbout this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/Service
H score11
First: 12.06.2026 16:00
Last: 12.06.2026 16:00
Sources 1
About this happening:
GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/ServiceAbout this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
Timeline
-
09.07.2026 19:49 2 articles · 4h ago
GitHub limits npm 2FA-bypass tokens and disables install scripts by default
Initial DisclosureGitHub announces npm version 12 with install scripts disabled by default, making dependency lifecycle scripts and implicit node-gyp builds opt-in, and restricting granular access tokens that bypass 2FA so they cannot perform sensitive account, package, or organization management actions or publish directly. Developers are told to move automated publishing to trusted publishing (OIDC) or staged publishing with human approval, while the token changes are expected to roll out in early August 2026 and January 2027.
Show sources
- npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk — thehackernews.com — 09.07.2026 19:49
- npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk — thehackernews.com — 09.07.2026 19:49