All 🤖 Models 📦 Open Source ⚖️ Regulation 🤝 Agents 🔧 Hardware 🏥 In Practice 💬 Community 🛡️ Security ✨ Curiosities
🟡 🛡️ Security Published: · 2 min read ·

GitHub: npm introduces 72-hour preventive protection for high-impact accounts

Editorial illustration: npm logo with a protection time window and security shield, no faces or text

GitHub npm now protects high-impact accounts with a 72-hour read-only lock on sensitive changes, blocking token issuance and package publishing to prevent supply-chain attacks on the open-source ecosystem.

🤖

This article was generated using artificial intelligence from primary sources.

What is a supply-chain attack and why npm?

A supply-chain attack — in which a malicious actor compromises a popular open-source package and injects malicious code that automatically spreads to millions of projects using it — is one of the most dangerous threats in modern software development. npm (Node Package Manager), a registry with more than 2.5 million packages, is a particularly attractive target: compromising one popular package can simultaneously endanger thousands of applications around the world. Until now, there was no protective window between the moment of credential theft and the publication of a malicious package.

The new measure: a 72-hour read-only lock

On June 25, 2026, GitHub announced that npm now enforces a 72-hour read-only lock on high-impact accounts — those whose packages have an exceptionally high download count and broad ecosystem presence. The protection is triggered automatically on two sensitive actions: changing an email address or modifying a 2FA recovery code. These are the classic targets attackers aim for when trying to take over someone else’s account.

What is blocked during the protection window?

During the 72-hour window, the account cannot:

  • mint (issue) new API tokens that could be used for automated publishing
  • publish packages or new versions of existing packages

The legitimate account owner receives a notification and has sufficient time to react — whether the change was planned or the result of credential theft. Only after the window expires without further security signals does access return to normal operation.

Comparison with the previous state

Before this change, an attacker who had successfully taken over an npm account could immediately publish a malicious package — with no delay or community warning. Now there is a structural barrier that provides 72 hours for detection and remediation, even if the attacker holds valid credentials. This is a qualitative shift in supply-chain defense: from reactive (removing a malicious package after publication) to preventive (blocking publication while account integrity is verified).

Frequently Asked Questions

What is a supply-chain attack on npm?
A supply-chain attack is an attack in which a malicious actor takes control of a popular open-source package and injects malicious code that automatically spreads to all projects using that package.
What actions trigger the 72-hour protection?
The protection is triggered by changing an email address or a 2FA recovery code — the two key points attackers target in order to take control of an account.

Sources

Share: 𝕏 X in LinkedIn f Facebook

Related news

🟡 2026-06-26

arXiv:2606.26057: The Unfireable Safety Kernel — external execution-time alignment for AI agents
🟡 2026-06-25

Google DeepMind: AI Control Roadmap — defense-in-depth for AI agent security
🟡 2026-06-25

GitHub: Self-service credential revocation — break-glass for incident response
← Back to home