pnpm leaks unscoped npm auth tokens to attacker-controlled registries via .npmrc

pnpm binds user-level unscoped npm authentication credentials (e.g., _authToken) to the effective default registry. A repository-local .npmrc can change the default registry, causing pnpm to send those credentials to an attacker-controlled registry.

Developers or CI jobs using pnpm with user-level npm registry credentials configured, who run pnpm install, pnpm view, or equivalent commands in a repository with a malicious .npmrc that sets a different registry.

Review your pnpm version and consider upgrading to a patched version once available. As a workaround, use URL-scoped credentials (e.g., //registry.npmjs.org/:_authToken=...) instead of unscoped _authToken, or audit repository-local .npmrc files for unexpected registry settings.