GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

Staff Editor 2026-06-11
GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

https://thehackernews.com/2026/06/github-to-disable-npm-install-scripts.html

Publish Date: 2026-06-11 02:23:00

Source Domain: thehackernews.com

Ravie LakshmananJun 11, 2026Developer Security / Software Supply Chain

GitHub has announced what it said are “breaking changes” coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats.

The changes aim to combat attack techniques that abuse the “npm install” command to trigger the execution of malicious code using npm lifecycle hooks. “Npm install” is used to download and install all the necessary dependencies for a Node.js project. Version 12 is scheduled for release next month.

Describing install-time lifecycle scripts as the “single largest code-execution surface in the npm ecosystem,” GitHub said the “npm install” command runs scripts from every transitive dependency, as a result of which a single compromised package anywhere in the dependency tree can run arbitrary code on a developer machine or CI runner.

By blocking such behaviours, the idea is to require explicit user approval before code execution is initiated automatically during “npm install” as opposed to being trusted by default. “Making script execution opt-in closes that path while keeping it one command away for the packages you trust,” GitHub said.

The changes are listed below –

  • npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in the project.
  • npm install will no longer resolve Git dependencies, either direct or transitive, unless explicitly allowed via –allow-git.
  • npm install will no longer resolve dependencies from remote URLs, such as https tarballs, unless explicitly allowed via –allow-remote.

“This includes native node-gyp builds (i.e., a package with a binding.gyp and no explicit install script still gets blocked, because npm runs an implicit node-gyp rebuild for it),” the Microsoft-owned subsidiary said about changes to the default “allowScripts” behavior. “prepare scripts from git, file, and link dependencies are blocked the…

Source

More Stories

Should CEOs Be Held Personally Accountable for Cyber Attacks?

Should CEOs Be Held Personally Accountable for Cyber Attacks?

Staff Editor 2026-06-13
The hidden challenge behind executive impersonation

The hidden challenge behind executive impersonation

Staff Editor 2026-06-13
China issues new financial data rules in major cybersecurity push

China issues new financial data rules in major cybersecurity push

Staff Editor 2026-06-13

Terms and Conditions - Privacy Policy