npm adds preventive account protection for high-impact accounts - GitHub Changelog
Try GitHub Copilot CLI
Attend GitHub Universe
Search
Back to changelog
npm now adds a temporary, preventive safeguard for high-impact accounts —those responsible for the registry’s most widely used packages—whenever it detects a sensitive account change, strengthening protection against account-takeover attacks.
When a high-impact account changes its email or uses a 2FA recovery code, the account is placed into a 72-hour read-only state and an alert is sent to the account’s previous email address. This closes an attack vector that recent supply chain attacks have exploited: a compromised account changes its email, mints a new token, and publishes malicious versions.
During the read-only period, you can still install and download packages, view your organizations and teams, and browse account and package settings.
Actions that could affect the registry or the account’s security—such as publishing, managing tokens, changing package visibility, or modifying org and team membership—are paused until the safeguard lifts.
No action is needed to restore full access: the account returns to normal automatically after 72 hours, with no re-confirmation step. Packages stay fully available to everyone who depends on them throughout.
If you believe your account was affected unexpectedly or you need assistance during a read-only period, contact npm Support.
Related Posts
Jun.23 Improvement
Automatic Dependabot access to GitHub-hosted registries
supply chain security
Jun.23 Retired
Deprecation of Python 3.9 for Dependabot
supply chain security
Jun.18 Release
Safer pull_request_target defaults for GitHub Actions checkout
actions<br>supply chain security
...<br>+1
Jun.18 Release
Control who and what triggers GitHub Actions workflows
actions<br>supply chain security
...<br>+1
Jun.09 Release
Dependabot version updates now support the Deno ecosystem
supply chain security
Jun.09 Retired
Upcoming breaking changes for npm v12
supply chain security
May.26 Release
Dependabot version updates now support the sbt ecosystem
supply chain security
May.22 Release
Staged publishing and new install-time controls for npm
supply chain security
May.19 Retired
Upcoming deprecation of Python 3.9 for Dependabot
supply chain security
Subscribe to our developer newsletter
Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.
Enter your email*
Subscribe
By submitting, I agree to let GitHub and its affiliates use my information for personalized communications, targeted advertising, and campaign effectiveness. See the GitHub Privacy Statement for more details.
Back to top
© 2026 GitHub, Inc.
Terms
Privacy
Manage Cookies
Do not share my personal information
LinkedIn icon
GitHub on LinkedIn
Instagram icon
GitHub on Instagram
YouTube icon
GitHub on YouTube
X icon
GitHub on X
TikTok icon
GitHub on TikTok
Twitch icon
GitHub on Twitch
GitHub icon
GitHub’s organization on GitHub