NPM Token Detector
The npm-token detector identifies NPM registry authentication tokens.
| Pattern | Finding ID | Description |
|---|---|---|
npm_[a-z0-9]{36} | npm-token-npm-auth-token | NPM Authentication Token |
Finding severity: Critical
npm_[a-z0-9]{36}
NPM automation tokens follow a consistent format:
- Prefix:
npm_ - 36 lowercase alphanumeric characters
{
"id": "npm-token-npm-auth-token",
"probe": "npm",
"severity": "critical",
"title": "NPM Token Detected (NPM Authentication Token)",
"message": "An NPM Authentication Token was detected in file:/Users/dev/.npmrc. This credential provides access to NPM packages and registries.",
"path": "file:/Users/dev/.npmrc",
"metadata": {
"detector_name": "npm-token",
"token_type": "npm-auth-token",
"fingerprint": "sha256:..."
}
}
A compromised NPM token allows attackers to:
- Publish malicious versions of your packages
- Add backdoors to widely-used libraries
- Typosquatting with similar package names
- Download private packages
- Access organization packages
- View package metadata
- npm packages have deep dependency trees
- One compromised package affects thousands of projects
- Real-world examples: event-stream, ua-parser-js
# List your tokens
npm token list
# Revoke the compromised token
npm token revoke <token-id>
Or via the web:
- Go to npmjs.com
- Account -> Access Tokens
- Delete the compromised token
Check if unauthorized changes were made:
# Check package versions
npm view <package-name> versions
# Check publish history
npm view <package-name> time
Review recent npm activity in your account settings.
# Create automation token (for CI/CD)
npm token create --read-only # For installing only
npm token create --cidr=x.x.x.x/x # With IP restrictions
# Use environment variables
export NPM_TOKEN=npm_xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Reference in .npmrc
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
Never commit tokens to version control.
NPM supports different token types with varying permissions:
| Type | Permissions | Use Case |
|---|---|---|
| Publish | Read, Write, Publish | Local development |
| Automation | Read, Write, Publish | CI/CD pipelines |
| Read-only | Read only | Installing packages |
| Granular | Custom per-package | Fine-grained control |
- Use read-only tokens for CI/CD that only installs packages
- Use automation tokens for publishing pipelines
- Use granular tokens to limit scope to specific packages
- Add CIDR restrictions to limit token use by IP range
Never commit .npmrc with tokens:
# .gitignore .npmrcUse environment variable interpolation:
# .npmrc (safe to commit) //registry.npmjs.org/:_authToken=${NPM_TOKEN}Scope tokens to registries:
# Only send token to specific registry @mycompany:registry=https://npm.mycompany.com/ //npm.mycompany.com/:_authToken=${PRIVATE_NPM_TOKEN}Use CI/CD secrets management:
# GitHub Actions - name: Setup Node uses: actions/setup-node@v4 with: node-version: '20' registry-url: 'https://registry.npmjs.org' env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}Enable 2FA for publishing:
- Require 2FA for publish operations
- Prevents token-only publishing
Regular token rotation:
- Rotate tokens periodically
- Immediately rotate after any potential exposure
# See what permissions your token has
npm whoami
npm token list
- NPM Probe - Checks NPM configuration security
- Generic API Key Detector - Catches other secret patterns