Security News
AI Agent Lands PRs in Major OSS Projects, Targets Maintainers via Cold Outreach
An AI agent is merging PRs into major OSS projects and cold-emailing maintainers to drum up more work.
By Sarah Gooding - Feb 14, 2026
Latest Threat Research:Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromise.Details →
@dotcom-tool-kit/circleci-npm
Advanced tools
@dotcom-tool-kit/circleci-npm
This plugin is for managing the `publish:tag` hook that is run from circleci to publish the built package to the npm registry.
@dotcom-tool-kit/circleci-npm
This plugin is for managing the publish:tag hook that is run from circleci to publish the built package to the npm registry.
The tool-kit/publish job is triggered in your circleci pipeline once you do a release with a tag matching the semver format. If your tag is a beta version, i.e. v1.6.0-beta.1, then the publish job will tag your build as a prerelease version. If your tag is a release version, i.e. v1.6.0, then the publish job will tag your build as the latest version.
This plugin will be installed as a dependency of the component plugin so you do not need to install it separately if you are using either of those plugins.
Installation
Install @dotcom-tool-kit/circleci-npm as a devDependency in your app:
npm install --save-dev @dotcom-tool-kit/circleci-npm
Add the plugin to your Tool Kit configuration:
plugins:
- '@dotcom-tool-kit/circleci-npm'
Install this plugin's hooks:
npx dotcom-tool-kit --install
For Tool Kit generated CircleCI config.yml
If you are migrating your project to Tool Kit for the first time then this plugin can generate a new .circleci/config.yml file for your project including Tool Kit configured workflows. To use this feature please delete or rename your existing CircleCI config.yml file before running the install command.
Adding to an existing Tool Kit generated CircleCI config.yml
If you have the automated comment # CONFIG GENERATED BY DOTCOM-TOOL-KIT, DO NOT EDIT BY HAND\n in your config.yml, running the install command will add the tool-kit/publish job to your config.yml. Furthermore, this will add the tags filter to the rest of the tool-kit jobs in your workflow in config.yml, as CircleCI will only run the jobs if the rest of the jobs have the tags filter.
Adding to a custom CircleCI config.yml
If you don't have the automated comment in your config.yml and therefore choose to add the tool-kit/publish job manually, (1) copy and paste the below code snippet and (2) add the tags filter to the rest of the tool-kit jobs:
- tool-kit/publish:
context: npm-publish-token
requires:
- tool-kit/test
filters:
branches:
ignore: /.*/
tags:
only: /^v\d+\.\d+\.\d+(-.+)?/
Hooks
| Event | Description | Installed to... | Default tasks |
|---|---|---|---|
publish:tag | Publishes the built package to the npm registry | publish-tag job in .circle/config.yml | NpmPublish |
FAQs
This plugin is for managing the `publish:tag` hook that is run from circleci to publish the built package to the npm registry.
The npm package @dotcom-tool-kit/circleci-npm receives a total of 296 weekly downloads. As such, @dotcom-tool-kit/circleci-npm popularity was classified as not popular.
We found that @dotcom-tool-kit/circleci-npm demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Package last updated on 31 Oct 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Malicious Chrome Extension Steals Meta Business Manager Exports and TOTP 2FA Seeds
Chrome extension CL Suite by @CLMasters neutralizes 2FA for Facebook and Meta Business accounts while exfiltrating Business Manager contact and analytics data.
By Kirill Boychenko - Feb 13, 2026
Security News
AI Agent Submits PR to Matplotlib, Publishes Angry Blog Post After Rejection
After Matplotlib rejected an AI-written PR, the agent fired back with a blog post, igniting debate over AI contributions and maintainer burden.
By Sarah Gooding - Feb 12, 2026