By ByteBot
npm announced staged publishing in January 2026, requiring review periods before packages go live. The move follows December’s classic token revocation that broke CI/CD pipelines ecosystem-wide, itself a reactive scramble after the Shai-Hulud attacks stole $50+ million and backdoored 25,000 repositories in late 2025. Instant publishing was a design flaw, and speed killed the JavaScript supply chain.
What NPM Staged Publishing Means
Staged publishing adds a mandatory review window between “npm publish” and packages becoming publicly available. Package owners must approve releases with MFA verification before they propagate. Deliberate friction by design.
Details remain unfinalized: opt-in or mandatory, organization workflows, CI automation compatibility. What’s clear: friction is coming.
The $50M Crisis That Forced npm’s Hand
September 15, 2025: Attackers published malicious npm packages with post-install scripts that harvested credentials and exfiltrated them to GitHub repos named “Shai-Hulud.” The malware auto-replicated, using stolen npm tokens to publish malicious versions of every accessible package. Result: ~$50 million in cryptocurrency stolen.
November 21-23, 2025: “The Second Coming” compromised 796 packages (20M weekly downloads) and backdoored 25,000+ GitHub repositories in hours. Zapier, PostHog, and Postman maintainers hit. The attack used preinstall scripts that run even when installation fails.
CISA issued an official alert. Check Point called it “the most aggressive NPM supply chain attack of 2025.” The attack vector: compromised credentials plus instant publishing equals catastrophe.
December’s Token Revocation Broke Pipelines
December 9, 2025: npm permanently revoked all classic tokens with no recovery. Developers who hadn’t migrated woke up to broken CI/CD pipelines. npm replaced them with 2-hour session tokens and granular tokens capped at 90 days.
Socket.dev called it a “turbulent shift.” GitHub discussions filled with complaints about poor communication. npm’s reasoning: “reactive response to a surge in registry attacks.” The key word is reactive. npm was playing catch-up after Shai-Hulud.
OIDC Trusted Publishing: npm’s Preferred Path
OIDC (OpenID Connect) trusted publishing, available since July 2025, eliminates long-lived tokens with short-lived, cryptographically-signed credentials that can’t be exfiltrated.
Setup: configure trusted publisher on npmjs.com (org, repo, workflow, environment). GitHub Actions generates OIDC token, npm verifies it, publishing proceeds with automatic provenance attestations.
Benefits: no tokens to store or rotate. Cryptographic trust. Automatic provenance. Limitations: cloud-hosted runners only, one publisher per package, npm CLI 11.5.1+ required.
The Friction vs. Velocity Debate
Pro-security: friction is worth preventing another Shai-Hulud. Pro-velocity: attackers will approve their own malicious changes anyway, slowing legit devs without stopping threats. Pragmatists want tiered approaches: staged for critical packages, instant for the rest.
Hacker News discussions (105 points, 16 comments) show the divide. Developers dread another workflow disruption after December’s chaos, but remember $50M in losses.
The reality: instant publishing was a luxury npm couldn’t afford after 2025 proved the model broken. Friction is the price of a $50M lesson.
The Broader Supply Chain Security Shift
Staged publishing is part of an industry-wide shift from “move fast” to “move safely.” PyPI requires 2FA for top packages. RubyGems added MFA in 2022. Every major package ecosystem is adding friction.
npm’s announcement is a confession: instant gratification killed the JavaScript supply chain. Staged publishing is npm admitting it can’t trust the old model.
Developers will adapt. But frictionless publishing is over, and Shai-Hulud’s $50M price tag is why.
