npm credentials (.npmrc)
A project .npmrc can contain registry auth tokens (_authToken). When it is committed, both registries and AI tools can read those credentials.
This week: 49 repos in the scanned fleet exposed this category (83 matches).See Radar #4 →
What it is
.npmrc configures npm — registries, scopes, and authentication. A line like //registry.npmjs.org/:_authToken=... grants publish and install rights to private packages.
Why it matters for AI context
An AI assistant indexing the repo can read the auth token from .npmrc and surface it in context or completions. The token can be used to publish or download private packages.
How to keep it out of AI tools
- Keep auth tokens in a user-level ~/.npmrc or CI secret, not the project file.
- Use environment variable references (${NPM_TOKEN}) in a committed .npmrc instead of literal tokens.
- Add .npmrc to .gitignore if it ever contains literal credentials.
- Add .npmrc to your AI ignore file as a precaution.
.npmrcIgnore files that exclude this
FAQ
- Can I commit .npmrc at all?
- Yes, if it only contains non-secret config or environment variable references. Never commit a literal _authToken.
Check your own project
158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:
Run the same local check with Offsend CLI:
brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-runEverything runs locally. No file contents are uploaded.