diff --git a/lib/manager/resolve.js b/lib/manager/resolve.js
index d145555a0c47b5ab553d6db7e01eece69bdebc1b..fc06f9f39a1fa6a7b335ff952adb322b21a483e9 100644
--- a/lib/manager/resolve.js
+++ b/lib/manager/resolve.js
@@ -66,6 +66,19 @@ async function resolvePackageFiles(config) {
       }
       if (packageFile.npmrc) {
         logger.info('Found .npmrc');
+        if (
+          packageFile.npmrc.match(/\${NPM_TOKEN}/) &&
+          !config.global.exposeEnv
+        ) {
+          logger.info('Stripping NPM_TOKEN from .npmrc');
+          packageFile.npmrc = packageFile.npmrc
+            .replace(/(^|\n).*?\${NPM_TOKEN}.*?(\n|$)/g, '')
+            .trim();
+          if (packageFile.npmrc === '') {
+            logger.info('Removing empty .npmrc');
+            delete packageFile.npmrc;
+          }
+        }
       } else {
         delete packageFile.npmrc;
       }
diff --git a/test/manager/__snapshots__/resolve.spec.js.snap b/test/manager/__snapshots__/resolve.spec.js.snap
index ee2be595dc60c5386a55c6602f9e64a343867aba..545da8d9410f0c9bf2e1c56fe1d7cd97d01a642c 100644
--- a/test/manager/__snapshots__/resolve.spec.js.snap
+++ b/test/manager/__snapshots__/resolve.spec.js.snap
@@ -322,4 +322,18 @@ exports[`manager/resolve resolvePackageFiles() handles wrong filenames 1`] = `Ar
 
 exports[`manager/resolve resolvePackageFiles() skips if no content or no match 1`] = `Array []`;
 
+exports[`manager/resolve resolvePackageFiles() strips npmrc with NPM_TOKEN 1`] = `
+Array [
+  Object {
+    "content": Object {
+      "name": "package.json",
+      "version": "0.0.1",
+    },
+    "currentPackageJsonVersion": "0.0.1",
+    "enabled": true,
+    "packageFile": "package.json",
+  },
+]
+`;
+
 exports[`manager/resolve resolvePackageFiles() uses packageFiles if already configured and raises error if not found 1`] = `Array []`;
diff --git a/test/manager/resolve.spec.js b/test/manager/resolve.spec.js
index 412610789710d8155eb5c2d31414f77ccf9d2309..fc7ab559ac25b87e60aa3886f26fc29a07974277 100644
--- a/test/manager/resolve.spec.js
+++ b/test/manager/resolve.spec.js
@@ -5,6 +5,7 @@ let config;
 beforeEach(() => {
   jest.resetAllMocks();
   config = { ...require('../_fixtures/config') };
+  config.global = {};
   config.errors = [];
   config.warnings = [];
 });
@@ -133,5 +134,20 @@ describe('manager/resolve', () => {
       expect(res.packageFiles[1].prTitle).toEqual('abcdefg');
       expect(res.packageFiles[2].prTitle).not.toEqual('abcdefg');
     });
+    it('strips npmrc with NPM_TOKEN', async () => {
+      manager.detectPackageFiles = jest.fn(() => [
+        { packageFile: 'package.json' },
+      ]);
+      platform.getFileList.mockReturnValueOnce(['package.json', '.npmrc']);
+      platform.getFile.mockReturnValueOnce(
+        '{"name": "package.json", "version": "0.0.1"}'
+      );
+      platform.getFile.mockReturnValueOnce(
+        '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' // eslint-disable-line
+      );
+      const res = await resolvePackageFiles(config);
+      expect(res.packageFiles).toMatchSnapshot();
+      expect(res.warnings).toHaveLength(0);
+    });
   });
 });