npm Access Token
Detects npm access tokens (npm_ prefix). These tokens authenticate to the npm registry and can publish, unpublish or grant access to packages; a leak enables supply-chain attacks via malicious publishes.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the distinctive npm_ prefix with a fixed 36-character body makes false positives extremely unlikely.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth), Computer Fraud and Abuse Act, Computer Misuse Act 1990
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_])npm_[A-Za-z0-9]{36}(?![A-Za-z0-9])Corroborative evidence keywords
npm, npm token, registry, .npmrc, authToken, package
Proximity: 300 characters
Should match
npm_ABCDEFGHIJ1234567890abcdefghij123456— npm access token, npm_ prefix + 36 chars//registry.npmjs.org/:_authToken=npm_zZyYxXwWvVuU0123456789abcdefghij0123— npm token in .npmrc authToken formnpm_aB3dE6gH9jK2mN5pQ8sTuVwXyZ0123456789— Mixed-case npm access token
Should not match
npm_tooShort1234— Too short to be an npm access tokenghp_ABCDEFGHIJ1234567890abcdefghij12345678— GitHub token prefix, not npminstall the package and set your npm token in CI— Prose mention without a token value
Known false positives
- Documentation or examples showing placeholder npm_ strings. Mitigation: Require corroborative npm/registry keywords and exclude placeholder markers.