Harden Your npm Account After the 2026 Attacks
After Shai-Hulud, GitHub is forcing FIDO 2FA and short-lived tokens on npm. Here is what changed and how developers should lock down publishing now.

If you publish an npm package, the rules just changed under you. After a run of worm-like supply chain attacks, GitHub is retiring the loose token model that made those attacks possible. Migrate now on your terms, or scramble to do it when a deadline hits.
Quick answer
Following the Shai-Hulud npm worm and related attacks, GitHub is enforcing FIDO-based 2FA, deprecating TOTP and legacy classic tokens, capping granular tokens at seven days, and adding a staged-publish checkpoint that requires human 2FA approval before any package goes live. Developers should migrate npm accounts to security keys or passkeys and switch to trusted publishing with OIDC instead of long-lived tokens.
Key takeaways
- FIDO 2FA is becoming mandatory; TOTP one-time codes are being deprecated.
- Legacy classic tokens are going away, and granular tokens now live only seven days.
- Staged publishing inserts a human 2FA approval before a package version is downloadable.
- Trusted publishing via OIDC replaces stored tokens in CI/CD.
- Migrate to security keys or passkeys and stop shipping directly with
npm publishfrom CI.
Why GitHub is forcing this
The changes are a direct response to attacks that abused the old model. Self-replicating worms like Shai-Hulud spread by stealing a maintainer's publish token, using it to poison their packages, and then harvesting more tokens from anyone who installed the malicious version. Long-lived tokens sitting in CI environments were the fuel.
The old setup had three weaknesses: TOTP codes can be phished in real time, classic tokens rarely expired, and a stolen CI token could publish silently with no human in the loop. GitHub's plan removes all three.
What is actually changing
Here is the before-and-after, so you know exactly what to adjust.
| Area | Old behavior | New requirement |
|---|---|---|
| 2FA method | TOTP app codes allowed | FIDO security keys or passkeys (WebAuthn) |
| Access tokens | Classic tokens, often no expiry | Classic tokens deprecated; granular tokens expire in 7 days |
| CI/CD publishing | Long-lived token in the pipeline | Trusted publishing via OIDC, no stored secret |
| Going live | npm publish makes it public instantly | Staged publish, then human 2FA approval |
The staged-publish step is the biggest cultural shift. Any npm publish or npm stage publish, automated or manual, now drops the tarball into a staging queue. A human maintainer must separately authenticate with 2FA and explicitly approve before the version becomes downloadable. A stolen CI token alone can no longer push a malicious release to the world.

Migrate to FIDO 2FA
TOTP is being phased out because it is phishable. FIDO credentials are not, because the key checks the site's real origin before it will sign in.
- Add a hardware security key (such as a YubiKey) or a passkey to your npm and GitHub accounts under two-factor settings.
- Remove TOTP as your only method before the deadline so you are not locked out.
- Keep at least two keys or a backup passkey so a lost device does not lock you out of publishing.
This is the same phishing-resistant approach we recommend for every important account in our security-key MFA guide. For maintainers, it is now table stakes.
Move CI/CD to trusted publishing
The goal is to stop storing a publish secret anywhere an attacker can steal it.
- Update to npm CLI 11.15.0 or later.
- Configure trusted publishing with OIDC so your CI proves its identity to npm without a long-lived token.
- Set OIDC to stage-only mode so direct
npm publishfrom CI is rejected and a human must approve the release. - Audit existing tokens and revoke any classic or long-lived tokens you no longer need.
Supply chain attacks have hit far beyond npm this year, from the Nx Console VS Code extension breach to the Klue Salesforce OAuth attack, so treating your publishing pipeline as a high-value target is overdue.
What to do right now
- Add a FIDO security key or passkey to your npm and GitHub accounts, plus a backup.
- Remove TOTP-only 2FA before it is deprecated for your account.
- Upgrade to npm CLI 11.15.0 and configure OIDC trusted publishing in stage-only mode.
- Revoke classic and long-lived tokens; rely on 7-day granular tokens where a token is still needed.
- Confirm your release process now requires a human 2FA approval before a version goes public.
Frequently asked questions
Do these changes affect me if I only install packages?
Indirectly, yes. You benefit because malicious releases are now much harder to push, but you do not need to change your own 2FA to install. The migration steps apply if you publish or maintain packages.
Will my automated releases break?
They will if they rely on a long-lived token and direct npm publish. Move to OIDC trusted publishing and staged releases with a human approval step. Once configured, automation still builds and stages; a maintainer just approves the final go-live.
Why not just keep using TOTP?
TOTP codes can be captured by a phishing site in real time and replayed. FIDO keys and passkeys verify the real site's origin cryptographically, so a phishing page cannot use them. That is why GitHub is standardizing on FIDO for maintainers.
What was Shai-Hulud?
Shai-Hulud was a self-replicating npm worm that stole maintainers' publish tokens, injected malicious code into their packages, and used each new infection to harvest more tokens. It is the main reason GitHub moved to short-lived tokens and staged, human-approved publishing.


