Find notable cyber news and cases, enriched with sources, timelines, and signals.

GitHub npm GAT publish-token mitigation guidance

Advisory/Mitigation
First reported
Last updated
Happening score
H score 25
1 unique sources, 1 articles

Summary

Hide ▲

GitHub is steering npm users away from long-lived publish tokens as npm GATs that bypass 2FA lose direct publishing and sensitive-management abilities. The recommended path is to move automated releases to trusted publishing (OIDC) or staged publishing with human approval. GitHub says the changes begin in early August 2026 and continue with a second phase in January 2027, leaving a short window to migrate publishing workflows.

Related Happenings

GitHub npm version 12 hardens installs and token management

Security Tool/Service
H score11 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

How related: GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA).

About this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...

GitHub Agentic Workflows indirect prompt injection security flaw

Vulnerability
H score27 First: 07.07.2026 17:04 Last: 07.07.2026 17:04 Sources 1

About this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...

Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity

Malware Activity
H score36 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

Npm v12 default-blocks install scripts, Git dependencies, and remote URLs

Security Tool/Service
H score11 First: 12.06.2026 16:00 Last: 12.06.2026 16:00 Sources 1

About this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...

Timeline

  1. 09.07.2026 19:49 2 articles · 4h ago

    GitHub limits npm 2FA-bypass tokens and disables install scripts by default

    Initial Disclosure

    GitHub announces npm version 12 with install scripts disabled by default, making dependency lifecycle scripts and implicit node-gyp builds opt-in, and restricting granular access tokens that bypass 2FA so they cannot perform sensitive account, package, or organization management actions or publish directly. Developers are told to move automated publishing to trusted publishing (OIDC) or staged publishing with human approval, while the token changes are expected to roll out in early August 2026 and January 2027.

    Show sources