Contact us
Contact us

News

About

Home Crypto News GitHub adds 2FA-staged publishing and install flags to npm

GitHub adds 2FA-staged publishing and install flags to npm

Author Whitewallet Research
Posted: 23 May 2026, 17:05 CET 2 min read

GitHub added 2FA-gated staged publishing to npm requiring maintainer approval before releases become installable, and introduced –allow-file, –allow-remote and –allow-directory install flags.

GitHub rolled out staged publishing for npm, a feature that requires a human maintainer to complete a two-factor authentication challenge before a published package becomes installable on npmjs.com. The feature is generally available now. GitHub wrote that “instead of a direct publish that immediately makes a package version available to consumers, the prebuilt tarball is uploaded to a stage queue where a maintainer must explicitly approve it before it becomes installable,” and the company called the change “proof of presence” for every publish.

To use staged publishing, a maintainer must already have publish access to the package, the package must already exist on the npm registry, and the maintainer’s account must have 2FA enabled. New packages cannot be staged. Developers submit a release to the staging area with the npm CLI command npm stage publish run from the package root; the command requires npm CLI version 11.15.0 or newer. GitHub recommends pairing staged publishing with trusted publishing using OpenID Connect (OIDC) for additional verification.

GitHub also added three install-source flags to control non-registry installs. The –allow-file flag governs installs from local file paths and local tarballs, –allow-remote controls installs from remote URLs including https tarballs, and –allow-directory manages installs from local directories. GitHub noted these flags extend the explicit-allowlist approach beyond the existing –allow-git option so teams can limit where installable code originates.

The updates arrive after a period of increased activity in software supply-chain attacks that target package registries and automated publishing workflows. Security teams have reported large-scale package poisoning campaigns that exploit automated publishes and non-registry install paths, and some threat actors have repeatedly targeted popular packages.

Both staged publishing and the new install flags are available on npmjs.com. Maintainers who want to use staged publishing must meet the access and 2FA prerequisites and update to the required npm CLI version, while teams can adopt the new flags to restrict non-registry installs.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE