GitHub Adds Staged Publishing to npm to Block Automated Supply Chain Attacks

HomeCyber Security News GitHub Adds Staged Publishing to npm to Block Automated Supply Chain Attacks By Abinaya May 25, 2026 GitHub has introduced a major security upgrade to the npm ecosystem with the general availability of staged publishing and new install-time controls, aimed at reducing automated supply chain attacks targeting open-source packages. The newly released staged publishing feature changes how npm packages are published and distributed. Instead of immediately making a package available after publishing, npm now places the prebuilt package tarball into a staging queue. A human maintainer must explicitly approve the package before it becomes publicly installable. GitHub Adds npm Staging This approach introduces a critical security checkpoint, especially for automated CI/CD workflows that are often targeted in supply chain attacks. Even if an attacker compromises a pipeline or injects malicious code, the package cannot be released without manual approval. Key security benefits include: Mandatory human approval enforced with two-factor authentication (2FA). Visibility of staged packages through both npm CLI and npmjs.com. Protection against unauthorized or automated publishing attempts. Reinforced proof-of-presence for maintainers during release. The feature is available starting with npm CLI version 11.15.0 and requires developers to switch from the traditional npm publish command to npm stage publish for staged workflows. GitHub recommends combining staged publishing with trusted publishing using OpenID Connect (OIDC). This setup allows CI/CD systems to publish packages directly into the staging queue without exposing long-lived credentials. Organizations can enforce stage-only publishing policies, ensuring that: Direct npm publish commands are rejected. Only npm stage publish is allowed from CI pipelines. Final approval is completed by a maintainer on a trusted device. This model significantly reduces the risk of credential theft and automated malicious releases. In addition to staged publishing, GitHub has introduced new install-time security flags in npm 11.15.0. These flags provide granular control over where dependencies can be installed from, helping prevent malicious or unexpected sources. New flags include: –allow-file: Controls installations from local files or tarballs. –allow-remote: Restricts dependencies fetched from remote URLs. –allow-directory: Governs installs from local directories. –allow-git (existing): Controls installations from Git repositories. Each flag supports two modes: all (default) or none, and can be configured via .npmrc or package.json. These controls allow developers to implement strict allowlist policies, reducing the attack surface from non-registry sources often used in dependency confusion or injection attacks. Security Impact GitHub also confirmed that in npm CLI version 12, the default behavior for –allow-git will change from all to none, signaling a shift toward stricter default security settings. Developers are encouraged to adopt these restrictions early by manually configuring the new flags. For example, an organization can configure its environment to block all non-registry installs: Set –allow-remote=none Set –allow-file=none Set –allow-directory=none Allow only trusted registry packages Combined with staged publishing, this creates a controlled pipeline where both package creation and consumption are tightly secured. These updates directly address common supply chain attack vectors, including: Malicious code injection in CI/CD pipelines. Dependency confusion via external sources. Unauthorized package publishing. By introducing human validation and stricter dependency controls, GitHub is moving npm toward a zero-trust supply chain model. Organizations using npm are strongly advised to upgrade to npm CLI 11.15.0 or later and update their workflows to take full advantage of these new protections. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News GitHub Internal Repositories Breached Via Weaponized VS Code Extension Critical ExifTool Vulnerability Allows Attackers to Compromise Macs via Single Malicious Image PoC Exploit Released for 20-Year Old PostgreSQL RCE Vulnerability Wireshark 4.6.6 Released With Fix for Dissector Crash via Malformed Packet Injection Trapdoor Android Ad Fraud Operation Uses 455 Malicious Apps to Generate Fake Clicks Latest News Cyber Security Pentest Agent Suite – Bug Bounty Framework for Claude Code and 6 AI Coding Tools Cyber Security Wireshark 4.6.6 Released With Fix for Dissector Crash via Malformed Packet Injection Cyber Security Hackers Compromised 34 Packages in npm, PyPI, and Crates in New Supply Chain Attack Cyber Security News Top 10 Best Malware Sandbox Tools for Security Teams in 2026 Cyber Security News PyrsistenceSniper – Tool that Detects 117 Persistence Malware Techniques on Windows, Linux, and macOS