Join us

FAUN.dev() is where engineers from GitHub, Netflix, and Shopify go to stay ahead — fast.

An effortless, straightforward way to keep up with technologies...so you can keep your tabs closed and your mind open!
70,000+ developers already joined our ecosystem ⭐⭐⭐⭐⭐
Trusted by developers at
Google Microsoft AWS Netflix

How to steal npm publish tokens by opening GitHub issues

@varbear ・ Mar 14,2026

How to steal npm publish tokens by opening GitHub issues

Attackers pushed a poisoned cline@2.3.0 to npm using a stolen publish token. Its postinstall installed OpenClaw globally.

An AI triage bot let a malicious issue title trick Claude into running commands on a GitHub Actions runner. It wrote a poisoned actions/cache entry.

The nightly release restored the poisoned node_modules. That exfiltrated NPM_RELEASE_TOKEN and enabled an unauthorized npm publish without provenance.

Give a Pawfive to this post!

Only registered users can post comments. Please, login or signup.

Share with your friends and followers

Start writing about what excites you in tech — connect with developers, grow your voice, and get rewarded.

Join other developers and claim your FAUN.dev() account now!

Publish your first story!

FAUN.dev() is where engineers from GitHub, Netflix, and Shopify go to stay ahead — fast.

An effortless, straightforward way to keep up with technologies...so you can keep your tabs closed and your mind open!
70,000+ developers already joined our ecosystem ⭐⭐⭐⭐⭐
Trusted by developers at
Google Microsoft AWS Netflix
Avatar

VarBear #SoftwareEngineering

FAUN.dev()

@varbear
SWE Weekly Newsletter, Varbear. Curated Programming news, tutorials, tools and more!
Developer Influence
35

Influence

1

Total Hits

121

Posts

Join and showcase your work and skills