npm's New Token Limits Won't Stop the Attacks That Actually Happen

https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/60/df/2b/60df2bb8-2147-b9e8-913b-86d510b61e86/mza_17412288464533967037.jpg/600x600bb.jpg

Programming Tech Brief By HackerNoon

HackerNoon

425 episodes

1 day ago

Learn the latest programming updates in the tech world.

All content for Programming Tech Brief By HackerNoon is the property of HackerNoon and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Learn the latest programming updates in the tech world.

Technology

Education,

Language Learning

https://img.transistor.fm/YUivZuh8YVGKLRFEfJUmTs-d5-THu6MebxBf6pvR2pw/rs:fill:0:0:1/w:1400/h:1400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS9iOWMw/YzE2NTQyZDNmMGY4/ZDc4N2NkYThkNTY4/ODZhNS5wbmc.jpg

npm's New Token Limits Won't Stop the Attacks That Actually Happen

Programming Tech Brief By HackerNoon

8 minutes

5 days ago

npm's New Token Limits Won't Stop the Attacks That Actually Happen

This story was originally published on HackerNoon at: https://hackernoon.com/npms-new-token-limits-wont-stop-the-attacks-that-actually-happen.
npm's October 2025 security overhaul introduces 90-day token limits and kills classic tokens. But the biggest supply chain attacks—from XZ Utils to the...
Check more stories related to programming at: https://hackernoon.com/c/programming. You can also check exclusive content about #npm, #npm-token-limit, #npm-token-attacks, #cybersecurity, #npm-package-security, #npm-token-security, #npm-security, #software-development, and more.

This story was written by: @encapsulation. Learn more about this writer by checking @encapsulation's about page, and for more stories, please visit hackernoon.com.

npm's new token lifetime limits (90-day max, 7-day default) and mandatory WebAuthn are good security hygiene, but they don't address how attacks actually happen. The September 2025 breach that compromised 18 packages with 2.6B weekly downloads succeeded via phishing—the attacker had full account access and could generate tokens at will. The XZ Utils backdoor involved three years of social engineering to gain maintainer trust. Token rotation doesn't stop account takeovers, malicious insiders, or the lack of code review. npm is treating the symptom (token exposure) rather than the disease (anyone can publish anything instantly).