A scoped token is an access token that is restricted to specific npm actions, packages, or organizations. Instead of granting full account-level access, it can be limited to publishing, reading, or managing only the resources that a workflow needs.
In cyber security, scoped tokens matter because they reduce blast radius. If a token is stolen from a developer machine, CI job, or secret store, the attacker may only be able to affect one package or one organization rather than the entire account. In npm supply-chain attacks, stolen publishing tokens are often the key that lets an attacker push malicious versions. Defenders use scoped tokens, short lifetimes, two-factor authentication, and secret rotation to make that abuse harder and to contain the damage if a credential leaks.



