npm now adds a temporary, preventive safeguard for high-impact accounts—those responsible for the registry’s most widely used packages—whenever it detects a sensitive account change, strengthening protection against account-takeover attacks.

When a high-impact account changes its email or uses a 2FA recovery code, the account is placed into a 72-hour read-only state and an alert is sent to the account’s previous email address. This closes an attack vector that recent supply chain attacks have exploited: a compromised account changes its email, mints a new token, and publishes malicious versions.

During the read-only period, you can still install and download packages, view your organizations and teams, and browse account and package settings.

Actions that could affect the registry or the account’s security—such as publishing, managing tokens, changing package visibility, or modifying org and team membership—are paused until the safeguard lifts.

No action is needed to restore full access: the account returns to normal automatically after 72 hours, with no re-confirmation step. Packages stay fully available to everyone who depends on them throughout.

If you believe your account was affected unexpectedly or you need assistance during a read-only period, contact npm Support.

social