npm Security Hardening Checklist

From the presentation From AiTM phishing to autonomous worms: a deep dive into 2025 npm attacks — Insomni'hack 2026.
Head to npmjs.com and sign in to get started.

0 / 0 completed

Minimize the use of long-lived tokens

Section Account > Access tokens

Disable unused tokens
Inventory all active tokens

For each active token:

CI token? Migrate to Trusted Publishing then disable the token
Developer token? Use npm login instead then disable the token
Reduce token permissions to the strict minimum
Fixed egress IP? Recreate the token with an IP restriction

Secure your npm account

Section Account > Two-Factor Authentication

Verify that 2FA is enabled
Remove phishing-vulnerable 2FA methods (TOTP)
Add a phishing-resistant 2FA method (hardware key or passkey)
Save recovery codes in a secure location

Section Account > Linked Accounts & Recovery Option

Link your GitHub account for account recovery

If you have an npm organization

Organization admin page

Verify that all members have 2FA enabled
Enable mandatory 2FA (Enable 2FA enforcement)

If you publish npm packages

For each package:

Determine how the package is published to npm
Use Trusted Publishing rather than tokens
Otherwise, restrict the write token to this package only

After switching to Trusted Publishing:

In Settings > Publishing access, select Require 2FA and disallow tokens

Insomni'hack 2026 — Presentation slides