diff --git a/docs/usage/private-modules.md b/docs/usage/private-modules.md
index 3a1ef51301fcda4c4679f1bf63bd7c7f9bc5de69..29ee645095f5d2a86af046aa25f124e9c6144f35 100644
--- a/docs/usage/private-modules.md
+++ b/docs/usage/private-modules.md
@@ -216,7 +216,7 @@ For instructions on this, see the above section on encrypting secrets for the Wh
 
 Self-hosted users can use environment variables to configure the most common types of `hostRules` for authentication.
 
-The format of the environment variables must be all upper-case and follow:
+The format of the environment variables must follow:
 
 - Datasource name (e.g. `NPM`, `PYPI`)
 - Underscore (`_`)
@@ -227,6 +227,8 @@ The format of the environment variables must be all upper-case and follow:
 Hyphens (`-`) in datasource or host name must be replaced with double underscores (`__`).
 Periods (`.`) in host names must be replaced with a single underscore (`_`).
 
+Note: the following prefixes cannot be supported for this functionality: `npm_config_`, `npm_lifecycle_`, `npm_package_`.
+
 #### npmjs registry token example
 
 `NPM_REGISTRY_NPMJS_ORG_TOKEN=abc123`:
diff --git a/lib/config/env.spec.ts b/lib/config/env.spec.ts
index acb608f5ab7ef4878b2f03c35bca60c975865402..6b9915f9e981f46537eb69a05327af0de8c11ff7 100644
--- a/lib/config/env.spec.ts
+++ b/lib/config/env.spec.ts
@@ -126,6 +126,12 @@ describe(getName(), () => {
       };
       expect(env.getConfig(envParam).hostRules).toHaveLength(0);
     });
+    it('rejects npm env', () => {
+      const envParam: NodeJS.ProcessEnv = {
+        npm_package_devDependencies__types_registry_auth_token: '4.2.0',
+      };
+      expect(env.getConfig(envParam).hostRules).toHaveLength(0);
+    });
     it('supports Bitbucket token', () => {
       const envParam: NodeJS.ProcessEnv = {
         RENOVATE_PLATFORM: PLATFORM_TYPE_BITBUCKET,
diff --git a/lib/config/env.ts b/lib/config/env.ts
index 9858f3ff8ff359fbdb2967553355ea22b5a9dfda..9689b70353998a3085cd4afa02c9eaf4435877d6 100644
--- a/lib/config/env.ts
+++ b/lib/config/env.ts
@@ -92,7 +92,13 @@ export function getConfig(env: NodeJS.ProcessEnv): GlobalConfig {
 
   const hostRules: HostRule[] = [];
 
+  const npmEnvPrefixes = ['npm_config_', 'npm_lifecycle_', 'npm_package_'];
+
   for (const envName of Object.keys(env).sort()) {
+    if (npmEnvPrefixes.some((prefix) => envName.startsWith(prefix))) {
+      logger.trace('Ignoring npm env: ' + envName);
+      continue; // eslint-disable-line no-continue
+    }
     // Double underscore __ is used in place of hyphen -
     const splitEnv = envName.toLowerCase().replace('__', '-').split('_');
     const hostType = splitEnv.shift();