diff --git a/lib/datasource/npm.js b/lib/datasource/npm.js
index 0673fcecc046a224381f737f455e6fb7f977bfc2..f99bd648d36f73e3d052e30856048d668f674454 100644
--- a/lib/datasource/npm.js
+++ b/lib/datasource/npm.js
@@ -66,6 +66,15 @@ function setNpmrc(input, trustLevel = 'low') {
     npmrc = ini.parse(input);
     // massage _auth to _authToken
     for (const [key, val] of Object.entries(npmrc)) {
+      // istanbul ignore if
+      if (
+        trustLevel === 'low' &&
+        key.endsWith('registry') &&
+        val &&
+        val.includes('localhost')
+      ) {
+        logger.warn({ key, val }, 'Detected localhost registry');
+      }
       if (key !== '_auth' && key.endsWith('_auth') && isBase64(val)) {
         logger.debug('Massaging _auth to _authToken');
         npmrc[key + 'Token'] = val;