Skip to content
WhySoGeek.
Cybersecurity

Harden Your npm Account After the 2026 Attacks

After Shai-Hulud, GitHub is forcing FIDO 2FA and short-lived tokens on npm. Here is what changed and how developers should lock down publishing now.

Sam Carter 8 min read
Cover image for Harden Your npm Account After the 2026 Attacks
Photo: Lachlan Hardy / flickr (BY 2.0)

If you publish an npm package, the rules just changed under you. After a run of worm-like supply chain attacks, GitHub is retiring the loose token model that made those attacks possible. Migrate now on your terms, or scramble to do it when a deadline hits.

Quick answer

Following the Shai-Hulud npm worm and related attacks, GitHub is enforcing FIDO-based 2FA, deprecating TOTP and legacy classic tokens, capping granular tokens at seven days, and adding a staged-publish checkpoint that requires human 2FA approval before any package goes live. Developers should migrate npm accounts to security keys or passkeys and switch to trusted publishing with OIDC instead of long-lived tokens.

Key takeaways

  • FIDO 2FA is becoming mandatory; TOTP one-time codes are being deprecated.
  • Legacy classic tokens are going away, and granular tokens now live only seven days.
  • Staged publishing inserts a human 2FA approval before a package version is downloadable.
  • Trusted publishing via OIDC replaces stored tokens in CI/CD.
  • Migrate to security keys or passkeys and stop shipping directly with npm publish from CI.

Why GitHub is forcing this

The changes are a direct response to attacks that abused the old model. Self-replicating worms like Shai-Hulud spread by stealing a maintainer's publish token, using it to poison their packages, and then harvesting more tokens from anyone who installed the malicious version. Long-lived tokens sitting in CI environments were the fuel.

The old setup had three weaknesses: TOTP codes can be phished in real time, classic tokens rarely expired, and a stolen CI token could publish silently with no human in the loop. GitHub's plan removes all three.

What is actually changing

Here is the before-and-after, so you know exactly what to adjust.

AreaOld behaviorNew requirement
2FA methodTOTP app codes allowedFIDO security keys or passkeys (WebAuthn)
Access tokensClassic tokens, often no expiryClassic tokens deprecated; granular tokens expire in 7 days
CI/CD publishingLong-lived token in the pipelineTrusted publishing via OIDC, no stored secret
Going livenpm publish makes it public instantlyStaged publish, then human 2FA approval

The staged-publish step is the biggest cultural shift. Any npm publish or npm stage publish, automated or manual, now drops the tarball into a staging queue. A human maintainer must separately authenticate with 2FA and explicitly approve before the version becomes downloadable. A stolen CI token alone can no longer push a malicious release to the world.

A developer terminal showing code, representing npm package publishing from the command line
Photo: ajmexico / flickr (BY 2.0)

Migrate to FIDO 2FA

TOTP is being phased out because it is phishable. FIDO credentials are not, because the key checks the site's real origin before it will sign in.

  • Add a hardware security key (such as a YubiKey) or a passkey to your npm and GitHub accounts under two-factor settings.
  • Remove TOTP as your only method before the deadline so you are not locked out.
  • Keep at least two keys or a backup passkey so a lost device does not lock you out of publishing.

This is the same phishing-resistant approach we recommend for every important account in our security-key MFA guide. For maintainers, it is now table stakes.

Move CI/CD to trusted publishing

The goal is to stop storing a publish secret anywhere an attacker can steal it.

  • Update to npm CLI 11.15.0 or later.
  • Configure trusted publishing with OIDC so your CI proves its identity to npm without a long-lived token.
  • Set OIDC to stage-only mode so direct npm publish from CI is rejected and a human must approve the release.
  • Audit existing tokens and revoke any classic or long-lived tokens you no longer need.

Supply chain attacks have hit far beyond npm this year, from the Nx Console VS Code extension breach to the Klue Salesforce OAuth attack, so treating your publishing pipeline as a high-value target is overdue.

What to do right now

  • Add a FIDO security key or passkey to your npm and GitHub accounts, plus a backup.
  • Remove TOTP-only 2FA before it is deprecated for your account.
  • Upgrade to npm CLI 11.15.0 and configure OIDC trusted publishing in stage-only mode.
  • Revoke classic and long-lived tokens; rely on 7-day granular tokens where a token is still needed.
  • Confirm your release process now requires a human 2FA approval before a version goes public.

Frequently asked questions

Do these changes affect me if I only install packages?

Indirectly, yes. You benefit because malicious releases are now much harder to push, but you do not need to change your own 2FA to install. The migration steps apply if you publish or maintain packages.

Will my automated releases break?

They will if they rely on a long-lived token and direct npm publish. Move to OIDC trusted publishing and staged releases with a human approval step. Once configured, automation still builds and stages; a maintainer just approves the final go-live.

Why not just keep using TOTP?

TOTP codes can be captured by a phishing site in real time and replayed. FIDO keys and passkeys verify the real site's origin cryptographically, so a phishing page cannot use them. That is why GitHub is standardizing on FIDO for maintainers.

What was Shai-Hulud?

Shai-Hulud was a self-replicating npm worm that stole maintainers' publish tokens, injected malicious code into their packages, and used each new infection to harvest more tokens. It is the main reason GitHub moved to short-lived tokens and staged, human-approved publishing.

#supply-chain#developers#2fa

Sources & further reading

Keep reading