npm Token

Description

General

• Documentation: https://docs.npmjs.com
• Summary: Npm (Node Package Manager) is a public javascript software registry. Developers can publish and download packages on the platform, organizations may also use npm to manage private packages and development. Npm provides both a CLI and an API to interact with registries. An access token is an alternative to using username and password for authenticating to npm.
• IPs allowlist: A token can be valid only for a given IP address range: this can be specified with the --cidr option using the CLI command npm token.
• Scopes: Three types of access can be granted to a token when creating it: read-only, automation and publish. Read this documentation for more information.

Revoke the secret

Access tokens can be revoked from npm's website or using the CLI. Read this page for more information.

Check for suspicious activity

This is not mentioned in the documentation.

Details for npm Token

• Family: token

• Category: package_registry

• Company: npm

• High recall: False

• Validity check available: False

• Analyzer available: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 5.03

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - ^(cs|x|p|s|r|m)?html5?~?$
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: false
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - npm
    - _authtoken

Examples

- text: +//registry.leaking-repos.com/:_authToken=e0cd4d7d-19fx-4p18-86f2-0bbc5e36g6b1
  apikey: e0cd4d7d-19fx-4p18-86f2-0bbc5e36g6b1

- text: +//192.168.88.9:8081/repository/npmlocal/:_authToken=NpmToken.4536684c-d492-39pb-89a8-743a59762bcc
  apikey: 4536684c-d492-39pb-89a8-743a59762bcc

- text: '"_authToken": "b98ec224-cdb2-4340-b7bd-9617fc719d1d"'
  apikey: b98ec224-cdb2-4340-b7bd-9617fc719d1d

- text: '-export NPM_TOKEN="007e64c7-635d-4d54-8295-f364cd8e0e0f"'
  apikey: 007e64c7-635d-4d54-8295-f364cd8e0e0f

Details for npm Token Prefixed

• Family: token

• Category: package_registry

• Company: npm

• High recall: False

• Validity check available: False

• Analyzer available: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 1.45

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - ^(cs|x|p|s|r|m)?html5?~?$
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: false
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - npm_

Examples

- text: +//registry.leaking-repos.com/:_authToken=npm_TBljNfh4TLQlHWVhybV4iXrsNj5bMQ9EMh6d
  apikey: npm_TBljNfh4TLQlHWVhybV4iXrsNj5bMQ9EMh6d

- text: +//192.168.88.9:8081/repository/npmlocal/:_authToken=npm_TBljNfh4TLQlHWVhybV4iXrsNj5bMQ9EMh6d
  apikey: npm_TBljNfh4TLQlHWVhybV4iXrsNj5bMQ9EMh6d

- text: '"_authToken": "npm_TBljNfh4TLQlHWVhybV4iXrsNj5bMQ9EMh6d"'
  apikey: npm_TBljNfh4TLQlHWVhybV4iXrsNj5bMQ9EMh6d

- text: '-export NPM_TOKEN="npm_TBljNfh4TLQlHWVhybV4iXrsNj5bMQ9EMh6d"'
  apikey: npm_TBljNfh4TLQlHWVhybV4iXrsNj5bMQ9EMh6d

# Fat-fingered secret
- text: NPM_TOKEN="nnpm_TBljNfh4TLQlHWVhybV4iXrsNj5bMQ9EMh6d
  apikey: npm_TBljNfh4TLQlHWVhybV4iXrsNj5bMQ9EMh6d