Back to list

Optional MFA bypass and token creation undermines npm security improvements

8/10 High

Developers can still create 90-day tokens with MFA bypass enabled in the npm console, which function similarly to the pre-2025 vulnerable classic tokens. This optional security feature leaves supply chain attack vectors open despite npm's authentication overhaul.

npm
Category
security
Workaround
hack
Stage
deploy
Freshness
worsening
Scope
framework
Upstream
open
Recurring
Yes
Buyer Type
enterprise
Maintainer
active

Sources

Collection History

Query: “What are the most common pain points with npm for developers in 2025?3/31/2026

Second, MFA on publish is optional. Developers can still create 90-day tokens with MFA bypass enabled in the console, which are extremely similar to the classic tokens from before.

Created: 3/31/2026Updated: 3/31/2026