Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: 2fa (1 article)Clear

GitHub ships npm 11.15.0 with 2FA-gated staging, OIDC trusted publishing, and per-source install flags in response to TeamPCP wave

GitHub has shipped npm CLI 11.15.0 introducing a 'staging' workflow that lets maintainers run 'npm stage publish' to push a candidate to a staging area before going live - with the constraint that the package must already exist on the registry and have 2FA enabled on the account. Three new install flags (--allow-file, --allow-remote, --allow-directory) extend the existing --allow-git to give developers an explicit allowlist for every non-registry install source. GitHub is also encouraging maintainers to pair staging with trusted publishing via OIDC. The changes respond to the TeamPCP supply-chain wave that compromised hundreds of packages over the past several weeks.

Check
Inventory developer machines using npm CLI. Upgrade to 11.15.0+ to access the staging workflow. Identify high-impact packages your team publishes and require 2FA on those maintainer accounts.
Affected
Any npm publisher whose tokens or maintainer accounts could be hijacked. The TeamPCP wave hit 600+ packages in one hour on May 19 by abusing maintainer accounts.
Fix
Adopt 'npm stage publish' for production packages. Enable 2FA on all maintainer accounts. Configure trusted publishing via OIDC where supported. Apply --allow-file / --allow-remote / --allow-directory selectively in CI.