This story was originally published on HackerNoon at: https://hackernoon.com/npms-new-token-limits-wont-stop-the-attacks-that-actually-happen.
npm's October 2025 security overhaul introduces 90-day token limits and kills classic tokens. But the biggest supply chain attacks—from XZ Utils to the...
Check more stories related to programming at: https://hackernoon.com/c/programming. You can also check exclusive content about #npm, #npm-token-limit, #npm-token-attacks, #cybersecurity, #npm-package-security, #npm-token-security, #npm-security, #software-development, and more.
This story was written by: @encapsulation. Learn more about this writer by checking @encapsulation's about page, and for more stories, please visit hackernoon.com.
npm's new token lifetime limits (90-day max, 7-day default) and mandatory WebAuthn are good security hygiene, but they don't address how attacks actually happen. The September 2025 breach that compromised 18 packages with 2.6B weekly downloads succeeded via phishing—the attacker had full account access and could generate tokens at will. The XZ Utils backdoor involved three years of social engineering to gain maintainer trust. Token rotation doesn't stop account takeovers, malicious insiders, or the lack of code review. npm is treating the symptom (token exposure) rather than the disease (anyone can publish anything instantly).