diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml
index 60236360..405ed732 100644
--- a/.github/workflows/publish-preview.yml
+++ b/.github/workflows/publish-preview.yml
@@ -213,6 +213,15 @@ jobs:
             echo "::error::No package.json files found to validate"
             exit 1
           fi
+          # Strip registry overrides from .yarnrc.yml to prevent registry
+          # redirects that could exfiltrate the NPM token. npmPublishRegistry
+          # takes precedence over npmRegistryServer for yarn npm publish, and
+          # npmScopes can override per-scope. YARN_NPM_REGISTRY_SERVER env var
+          # only overrides npmRegistryServer, not the others.
+          if [[ -f .yarnrc.yml ]]; then
+            echo "Stripping registry config from .yarnrc.yml"
+            yq -i 'del(.npmRegistryServer) | del(.npmPublishRegistry) | del(.npmScopes)' .yarnrc.yml
+          fi
           for f in "${manifests[@]}"; do
             # Strip lifecycle scripts that run during pack/publish
             if jq -e '.scripts // {} | keys[] | select(test("^(pre|post)?(pack|publish|prepare)$"))' "$f" > /dev/null 2>&1; then