NPM to Implement Staged Publishing After Turbulent Shift Off Classic Tokens

GitHub's decision to defer the self‑hosted Actions billing overhaul reflects a growing sensitivity to developer cost concerns. While the company proceeds with a 30% reduction in hosted runner fees, the postponement signals that any future pricing adjustments will need to balance revenue goals with the community's appetite for predictable CI/CD expenses. Enterprises that rely heavily on self‑hosted runners can now maintain existing budgets, but must stay alert for eventual policy changes.

The recent npm‑based spearphishing campaign illustrates how attackers continue to weaponize open‑source ecosystems. By injecting malicious code into 27 seemingly benign packages, threat actors created browser‑run lures that mimicked document‑sharing portals and Microsoft sign‑in pages, harvesting credentials from 25 targeted organizations across manufacturing, industrial automation, plastics, and healthcare. This incident reinforces the critical need for continuous monitoring of dependencies, stricter vetting processes, and rapid response capabilities to mitigate supply‑chain breaches.

In response, npm is rolling out staged publishing, a phased rollout that requires additional verification before new versions become publicly available. Coupled with the recent shift away from classic authentication tokens, the new workflow aims to reduce the attack surface for malicious package uploads. Developers can expect a brief delay when publishing updates, but the added security checks are designed to safeguard the broader ecosystem, reinforcing trust in npm as a cornerstone of modern software development.