{“lastseen”:”2026-05-23T16:48:55″,”description”:”\\n\\nGitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for installation.\\n\\nCalled staged publishing, the feature is now generally available on npm. It mandates that a human maintainer pass a two-factor authentication (2FA) challenge to approve a package before it is pushed to the npmjs[.]com.\\n\\n\\”Instead of a direct publish that immediately makes a package version available to consumers, the prebuilt tarball is uploaded to a stage queue where a maintainer must explicitly approve it before it becomes installable,\\” GitHub said.\\n\\nThe Microsoft-owned subsidiary said the change ensures \\”proof of presence\\” for every publish, including those that come from non-interactive CI\/CD workflows and trusted publishing with OpenID Connect (OIDC) authentication.\\n\\nBefore using staged publishing, package maintainers have to meet the following criteria -\\n\\n * Have publish access to the package\\n * Package already exists on the npm registry, meaning a brand new package cannot be staged\\n * 2FA is enabled for the account\\n\\n\\n\\nDevelopers can use the command \\”npm stage publish\\” from the root directory of the package to submit it to a staging area. To use this command, it’s essential to update to npm CLI 11.15.0 or newer. For optimal protection, GitHub is recommending that staged publishing be paired with trusted publishing using OIDC.\\n\\nA second update focused on npm relates to the introduction of three new install source flags alongside the existing -allow-git flag -\\n\\n * \\\\–allow-file: Controls installs from local file paths and local tarballs\\n * \\\\–allow-remote: Controls installs from remote URLs, including https tarballs\\n * \\\\–allow-directory: Controls installs from local directories\\n\\n\\n\\nThe flags allow developers to \\”apply the same explicit-allowlist approach to every non-registry install source,\\” GitHub said.\\n\\nThe development comes amid a massive surge in software supply chain attacks targeting open-source ecosystems over the past few months, with one cybercriminal group known as TeamPCP engaging in poisoning popular packages at an unprecedented scale through a self-perpetuating cycle of compromises.\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2026-05-23T16:35:00″,”modified”:”2026-05-23T16:35:10″,”type”:”thn”,”title”:”npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks”,”source”:””,”references”:””,”id”:”THN:1F5DB06F0A1CBAE3C17369D47934772C”,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2026\/05\/npm-adds-2fa-gated-publishing-and.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-23T16:48:55″,”description”:”\\n\\nGitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-56522","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n