npm adds preventive account protection for high-impact accounts
npm has introduced a new preventive safeguard for accounts managing critical packages, adding a 72-hour read-only state after detecting sensitive changes like email updates or 2FA recovery code usage. This measure aims to block account-takeover attacks that have been exploited in recent supply chain incidents, ensuring package availability and user security.
- →Preventive account protection for high-impact accounts
- →Read-only state details and actions during protection
- →Automatic restoration of full access
- →Support for unexpected account impact or read-only periods
Features (1) ›
- Preventive account protection for high-impact accounts
npm now implements a temporary, preventive safeguard for accounts managing the registry's most widely used packages. This feature activates when sensitive account changes are detected, placing the account into a 72-hour read-only state to mitigate account-takeover risks.
Enhancements (1) ›
- Read-only state details and actions during protection
During the 72-hour read-only period, users can still install and download packages, view organizations and teams, and browse account/package settings. Actions that could affect the registry or account security, like publishing or managing tokens, are temporarily paused.
Notes (2) ›
- Automatic restoration of full access
Full account access is automatically restored after the 72-hour safeguard period concludes, with no additional re-confirmation step required. Packages remain available to all dependents throughout this process.
- Support for unexpected account impact or read-only periods
Users who believe their account was unexpectedly affected or require assistance during a read-only period are advised to contact npm Support for help.
https://github.blog/changelog/2026-06-25-npm-adds-preventive-account-protection-for-high-impact-accounts