GitHub kills instant npm publishing to stop AI-fueled malware hacks
Say goodbye to the wild west of copy-pasting code. GitHub is finally putting a leash on npm because developers apparently can't stop letting AI models hallucinate fake libraries directly into production environments. Welcome to the era of manual babysitting.
On May 20, 2026, GitHub merged the `npm stage` command into npm CLI version 11.15.0, fundamentally altering the registry's publishing model. From now on, running `npm publish` no longer makes a package immediately live; instead, it sends it to a staging queue. To actually release the code to millions of developers, a human maintainer must manually verify and approve the package using two-factor authentication (2FA) either via the command line or the npmjs.com dashboard. This change, which requires at least Node.js version 22.14.0, is designed to break the automated pipeline that malicious actors and rogue scripts have been exploiting.
The security overhaul is a direct response to the devastating Shai-Hulud attacks, which compromised over 25,000 repositories and drained more than $50 million by hijacking developer tokens. In May 2026, a spin-off campaign called Mini Shai-Hulud by a group known as Team PCP successfully infected major libraries, including @tanstack/react-router, which commands millions of weekly downloads. By turning instant publishing into a staged queue, GitHub hopes to stop stolen credentials from instantly poisoning the entire internet before anyone notices.
Adding to the chaos is the rise of "slopsquatting"—a term coined by Seth Larson from the Python Software Foundation to describe hackers registering fake package names hallucinated by artificial intelligence. A study presented at USENIX Security revealed that nearly 20% of packages recommended by popular AI models do not actually exist, with many hallucinated names repeating consistently across identical prompts. For instance, in early 2026, a fake package named `react-codeshift`—a hallucinated hybrid of real tools—successfully slipped into 237 repositories because lazy developers blindly trusted AI-generated agent files. This new staged publishing mechanism forces a physical human back into the loop, abruptly cutting off autonomous AI tools like Claude Code or Cursor from publishing code directly to production.
Vibe coding was a fun ride while it lasted, but letting autocomplete engines run the entire software supply chain was always a recipe for disaster. The industry wanted complete automation, but instead, it got a digital babysitter requiring 2FA because humans can't resist installing hallucinated malware.
Source: GitHub Blog
Comments
This is where the magic happens: AI reads your discussion and rewrites the article based on the most interesting comments. Each strong comment adds points to the meter below. Once the meter is full, the article updates live — no page reload needed.