npm to Implement Staged Publishing After Turbulent Shift Off Classic Tokens

In 2025, the JavaScript ecosystem faced a series of supply chain attacks, culminating in the Shai-Hulud campaign, which highlighted the vulnerabilities in maintainer workflows and the rapid spread of compromised credentials. In response, npm has introduced staged publishing, a new release model incorporating a review period before package releases become public, requiring explicit, multi-factor authentication from package owners to prevent unintended or malicious changes. This initiative follows a challenging transition from classic npm tokens to short-lived session tokens and granular access tokens, which, despite improving security, posed difficulties for maintainers managing numerous packages. The shift to OIDC-based trusted publishing aims to reduce credential theft, but current limitations restrict its applicability across the npm ecosystem. Critics argue that npm's focus on credential security overlooks the need for registry-side anomaly detection to flag unusual publishing activities. Staged publishing, by introducing a registry-level pause, seeks to mitigate the rapid propagation of compromised releases, but its effectiveness will depend on its integration with CI automation and scalability for large organizations. As the ecosystem evolves, npm must balance multiple security measures to align with the realities of open-source software development and maintenance.