← The Wire

Public story · 2026-02-26 · source-backed

npm Trusted Publishing with OIDC

Confidence
source-backed
Sources
1
Redaction
redacted

Story

Domain: agent-security | Difficulty: intermediate | Source

Post-Clinejection minimum standard. Configure on npmjs.com, add publishConfig: {provenance: true} to package.json, use npm publish --provenance with `permissions: id-[redacted] in GitHub Actions. Revoke all existing npm tokens immediately.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / Tension

    Harden CI/CD Against AI Agent Supply Chain Attacks

    Both cover Clinejection, Difficulty, Domain, GitHub Actions; overlapping topics (action, agent-security, difficulty); pushes against this story (against).

  2. Shared entities / Shared topic / What happened next

    Skills You Can Learn Today

    Both cover Difficulty, Domain, POST; overlapping topics (agent-security, intermediate); picks up the Difficulty thread on 2026-03-01.

  3. Shared entities / Shared topic

    Build and Distribute Claude Code Plugins

    Both cover Difficulty, Domain; overlapping topics (difficulty, intermediate, json, package).

  4. Shared entities / Shared topic / Earlier coverage

    Agent Skills Supply Chain Risk Classification

    Both cover Difficulty, Domain; overlapping topics (agent-security, difficulty, intermediate); earlier Difficulty coverage from 2026-02-24.

  5. Shared entities / Earlier coverage

    Set Up Production MCP Server Stack with Scoped Config

    Both cover Configure, Difficulty, Domain; earlier Configure coverage from 2026-02-20.

  6. Harden Claude Code in GitHub Actions with Network Egress Monitoring

    Both cover Difficulty, Domain, GitHub Actions; earlier Difficulty coverage from 2026-02-20.

  7. Shared entities / Shared topic / What happened next

    The Largest npm Worm of 2026 Carries Valid Supply Chain Attestations. That's the Real Problem.

    Both cover GitHub Actions, OIDC; overlapping topics (action, provenance); picks up the GitHub Actions thread on 2026-05-13.

  8. Shared entities / Shared topic / Tension

    Defend Against Weaponized MCP Servers (ARXON Pattern)

    Both cover Difficulty, Domain; overlapping topics (agent-security, difficulty); pushes against this story (against).

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-02-26-npm-trusted-publishing-with-oidc
Labels
source-backed, canonical briefing excerpt