NPM Private Package Installation is broken · community · Discussion #156354

Can confirm that User tokens have been stripped from numerous users accounts i manage.

I've just checked and all access tokens have been deleted from my user account as well. I did not receive any of the usual "[npm] Granular access token deleted" email notifications.

It looks like this might have happened sometime in the last ~9 hours (as of writing this comment). We have a github action with an npm token that completed successfully at 2025-04-10T16:33:32.000Z. The next action we have was at 2025-04-11T01:39:47.000Z, and that had an authentication failure - so it looks like the issue occurred sometime in that window of time.

All tokens wiped from all our CI and user management accounts as well

Same here. 20h ago was the last successful build in our system. This morning everything failed.

in the meantime user can recreate new tokens to unblock themselves.

Can confirm that worked and builds are now successful again.

Today, I encountered an issue while trying to publish a public package within our organization. The problem is unexpected because nothing has changed in the configuration or process, yet I am now receiving a 404 Not Found error during the publication. Maybe it's connected

npm ERR! 404 Not Found - PUT https://registry.npmjs.org/@nust_misis%2fui - Not found

Same here .... all tokens lot .... . Like about 6 months ago ....

My guess is npmjs was made aware of a leak and chose to mitigate first and foremost. I'd expect them to make an announcement later today on e.g. https://github.blog/tag/npm/

Hi all! Thank you for taking the time to report this and for your patience as the team was working on a solution.

This issue has been resolved, announced in this incident report.

If you continue to encounter issues, please let us know in this discussion.