Advisories 25 May 2026 / 0 Comments

npm Security Hardening Advisory: 2FA-Gated Staged Publishing and Install Source Controls Now Available

Scope: npm Ecosystem (All Package Maintainers and CI/CD Pipelines)

Severity: High

In direct response to the wave of supply chain attacks including the Shai-Hulud campaigns, GitHub has released two major security hardening features in npm CLI 11.15.0: staged publishing, which requires a human maintainer to pass a 2FA challenge before any package version becomes publicly installable, and three new install source flags (--allow-file, --allow-remote, --allow-directory) that allow organizations to enforce explicit allowlists on every non-registry install source, blocking dependency confusion and local code execution attack paths by default. npm has also invalidated all granular access tokens with write permissions that bypassed 2FA following the most recent Mini Shai-Hulud wave. Organizations should upgrade to npm CLI 11.15.0 or newer, migrate CI/CD workflows from static token authentication to OIDC trusted publishing, enable staged publishing on all maintained packages, set default-deny on install flags, and rotate any existing long-lived npm tokens.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

npm Security Hardening Advisory: 2FA-Gated Staged Publishing and Install Source Controls Now Available

Ghost CMS SQL Injection Actively Exploited in Large-Scale ClickFix Campaign (CVE-2026-26980)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

npm Security Hardening Advisory: 2FA-Gated Staged Publishing and Install Source Controls Now Available

RELATED ADVISORIES

Ghost CMS SQL Injection Actively Exploited in Large-Scale ClickFix Campaign (CVE-2026-26980)

Recent Advisories

Categories