npm's Token Overhaul Reduces but Doesn't Eliminate Risk
🔒 In December 2025 npm completed a major credential overhaul, revoking long‑lived classic tokens and moving to short‑lived session tokens and OIDC Trusted Publishing to reduce supply‑chain risk. While MFA by default and ephemeral per‑run CI credentials limit exposure, optional 90‑day tokens that bypass MFA and successful MFA phishing still permit rapid malicious publishes. Developers should favor OIDC, avoid long‑lived bypassable tokens, and enforce MFA-on-publish where possible to further harden the ecosystem.
