Will It Vibe logoWill It Vibe?
SECRET-025Critical severity-25 points

npm registry auth token (_authToken)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

A literal registry auth token was assigned to _authToken in a committed config, CI, or shell file. It authenticates to the registry and can publish packages.

Why it matters

A literal token assigned to _authToken authenticates to a package registry and can publish packages, a supply-chain risk. This commonly leaks when a CI script or Dockerfile writes the token into an npmrc-style config inline. Anyone with repo access gets the token.

How to fix it

Reference the token from an environment variable in the config line (for example _authToken=${NPM_TOKEN}) and supply it through a CI secret at build time. Never write the literal value. Revoke the exposed token with the registry.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks