[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTCEnpsrMm1FuK5ZjusatddUL2-F6OrsiQBOed656N-A":3},{"article":4,"iocs":52},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"efda30ad-1747-488e-b8b0-86af9a48b9bb","GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks","github-to-disable-npm-install-scripts-by-default-to-stop-supply-chain-attacks-ed4724","GitHub has announced what it said are \"breaking changes\" coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. The changes aim to combat attack techniques that abuse the \"npm install\" command to trigger the execution of malicious code using npm lifecycle hooks. \"Npm install\" is used to download and install all the necessary","GitHub is implementing significant changes in npm version 12, disabling install scripts by default to mitigate supply chain threats. These changes aim to prevent malicious code execution through npm lifecycle hooks, which have been a major vector for attacks. Developers will now need to explicitly approve scripts, making execution opt-in rather than the current default trust model.","GitHub to disable npm install scripts by default in npm v12 to prevent supply chain attacks.","GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks Ravie LakshmananJun 11, 2026Developer Security \u002F Software Supply Chain GitHub has announced what it said are \"breaking changes\" coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. The changes aim to combat attack techniques that abuse the \"npm install\" command to trigger the execution of malicious code using npm lifecycle hooks. \"Npm install\" is used to download and install all the necessary dependencies for a Node.js project. Version 12 is scheduled for release next month. Describing install-time lifecycle scripts as the \"single largest code-execution surface in the npm ecosystem,\" GitHub said the \"npm install\" command runs scripts from every transitive dependency, as a result of which a single compromised package anywhere in the dependency tree can run arbitrary code on a developer machine or CI runner. By blocking such behaviours, the idea is to require explicit user approval before code execution is initiated automatically during \"npm install\" as opposed to being trusted by default. \"Making script execution opt-in closes that path while keeping it one command away for the packages you trust,\" GitHub said. The changes are listed below - npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in the project. npm install will no longer resolve Git dependencies, either direct or transitive, unless explicitly allowed via --allow-git. npm install will no longer resolve dependencies from remote URLs, such as https tarballs, unless explicitly allowed via --allow-remote. \"This includes native node-gyp builds (i.e., a package with a binding.gyp and no explicit install script still gets blocked, because npm runs an implicit node-gyp rebuild for it),\" the Microsoft-owned subsidiary said about changes to the default \"allowScripts\" behavior. \"prepare scripts from git, file, and link dependencies are blocked the same way.\" By defaulting \"--allow-git\" to \"none,\" the setting closes out a code execution path where a Git dependency's .npmrc configuration file used could override the Git executable, even with --ignore-scripts, a flag that prevents packages specified in a package.json file from automatically running built-in lifecycle scripts during the installation process. GitHub recommends that developers prepare for these changes by upgrading to npm 11.16.0 or newer, running the normal install, and reviewing the warnings displayed. \"Use npm approve-scripts --allow-scripts-pending to see which packages have scripts, approve the ones you trust, and commit the updated package.json,\" it added. \"After that, only the scripts you approved keep running once you upgrade. Anything you leave unapproved will stop.\" Earlier this year, npm also introduced \"min-release-age,\" a setting that tells npm to reject any package version published less than a specified number of days as a safeguard against newly published malicious packages. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  CI, Code Execution, cybersecurity, Developer Security, GitHub, Malware, node.js, NPM, Software Supply Chain ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes New HTTP\u002F2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis [Guide] Transform Network Operations with Intelligent Workflows See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo]","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fgithub-to-disable-npm-install-scripts.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEi_yyoUTLr71Ug2Ge0R7qFSnlGjB3TzlrQ-2NDR5jpPSBjivUSxhxRV1eCg5E6Af15RbJLZpqg9Ohp9ZW9YC9D2oc3VcHrNYQetavvvarn-Pn1P4VWnMw2C-hXbFgplFW9O8pe-zSP9ABGkkR-LM8hhu370dXMgeV-TGQT2p9N7hd7Friim3UkdK5FfyHHp\u002Fs1600\u002Fnpm-github.jpg","2026-06-11T06:23:03+00:00","2026-06-11T08:00:16.114283+00:00",8,[18,21,24,27],{"name":19,"type":20},"npm","product",{"name":22,"type":23},"GitHub","vendor",{"name":25,"type":26},"Node.js","technology",{"name":28,"type":23},"Microsoft","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":29,"icon":31,"name":32,"slug":33},null,"Supply Chain","supply-chain",[35,40,42,47],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"02371804-cf6d-4449-98de-f1a2d4d9b266","Tools","tools",{"category":41},{"id":29,"icon":31,"name":32,"slug":33},{"category":43},{"id":44,"icon":31,"name":45,"slug":46},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":48},{"id":49,"icon":31,"name":50,"slug":51},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",[]]