Detecting NPM Package Owner Changes in CI: Supply Chain Defense (2025)

Package ownership and maintainer changes are high-signal events in software supply chains. A trustworthy package today can become risky tomorrow after a maintainer handoff or account compromise. This guide shows how to detect owner changes in CI and block merges until humans review them.

What to watch for

New maintainer accounts added to a package (especially recently created accounts).
Ownership transfer to a new scope/org.
Sudden spike of releases after a long dormant period.
New lifecycle scripts or native bindings introduced along with ownership change.

Approach: compare before vs after in CI

For each package that changed in the lockfile, get the previous maintainers/owner and the new set, then fail CI if the delta contains unknown or untrusted accounts. A simple baseline can use the public registry API, with a local allowlist for your org’s vetted packages.

GitHub Actions: detect maintainer changes

name: owner-change-guard
on: [pull_request]
jobs:
  check-owners:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: corepack enable
      - name: Compute changed packages from lockfile
        run: |
          git fetch origin ${{ github.base_ref }} --depth=1
          git checkout ${{ github.base_ref }}
          cp pnpm-lock.yaml pnpm-lock.base.yaml || true
          git checkout ${{ github.head_ref }}
          cp pnpm-lock.yaml pnpm-lock.head.yaml || true
          node -e '
            const fs=require("fs");
            const base=fs.readFileSync("pnpm-lock.base.yaml","utf8").split("
");
            const head=fs.readFileSync("pnpm-lock.head.yaml","utf8").split("
");
            const pkgre=/^s{2}([^s][^:]+):$/; // section headers like "  registry.npmjs.org/foo/1.2.3:"
            const get=set=>{const s=new Set(); for(const l of set){const m=l.match(pkgre); if(m){const id=m[1]; const name=id.split("/").slice(-2,-1)[0]; s.add(name);} } return s};
            const b=get(base), h=get(head);
            const added=[...h].filter(x=>!b.has(x));
            const changed=[...added];
            console.log(JSON.stringify({changed}));
          ' > changed.json
          cat changed.json
      - name: Fetch maintainers and compare
        env:
          ALLOWLIST: "^(esbuild|sharp|@your-scope/)"
        run: |
          CHANGED=$(jq -r '.changed[]' changed.json || true)
          FAIL=0
          for PKG in $CHANGED; do
            echo "Checking $PKG";
            BASE=$(curl -sL https://registry.npmjs.org/$PKG | jq -r '.maintainers[]?.name' | sort -u | tr '
' ' ')
            # Optionally compare previous version maintainers by pinning a specific version from the base lockfile
            echo "Maintainers: $BASE";
            echo "$PKG" | grep -Eq "$ALLOWLIST" && { echo "allowlisted"; continue; }
            # Organization policy could require manual approval for any owner change event
          done
          exit $FAIL
      - name: Fail if unexpected owner changes detected
        if: failure()
        run: exit 1

Notes: npm maintains an owner/maintainer list per package via the registry API; results may vary per package. For critical packages, mirror metadata to your own database and require a manual approval workflow on any owner changes.

Policy refinements

Enrich with account age, publish cadence, and 2FA signals when available.
Require second reviewer approval if an owner change coincides with lifecycle scripts.
Auto-open a security review task when a high-risk package changes owners.