Automated token revocation for when you accidentally publish a token

Protecting npm user accounts is one of the most important ways we help secure the JavaScript ecosystem. This is especially true for accounts that publish packages, as the npm ecosystem is the beginning of the supply chain for the world’s JavaScript.

One mistake npm users make on occasion is publishing their npm authentication token in a public package. To help users protect against these accidental data leaks we’ve begun searching for exposed tokens in published packages and revoking them as fast as possible to prevent abuse from downstream package mirrors.

How this affects you

If you happen to publish a token, that token will automatically be revoked and you will receive an email with the subject npm security alert - account token published in npm package. This email will provide you additional details, including what package contained the token and what file it was found in.

At this point in the process there is likely no further action needed on your part. If there are any other security concerns related to your package the npm Security team will reach out to you directly.

How you can keep yourself and your code secure

First, you can enable 2-Factor Authentication for your account. This means that when you log into the website or publish a package using a token that was setup for ‘auth and publish’, a second factor is required to permit this action.

Second, if you maintain a package with multiple maintainers you can require that 2FA be enabled to publish a package.

Finally, you can take steps to make sure you don’t accidentally publish sensitive configuration files by using the files feature of package.json. This feature allows you to create a list of files you want to include in the published package.

***Update: We now do automated token revocation when tokens are pushed to GitHub. Read here to learn more.