{"id":270040,"date":"2026-06-11T02:23:00","date_gmt":"2026-06-11T06:23:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/11\/github-to-disable-npm-install-scripts-by-default-to-stop-supply-chain-attacks\/"},"modified":"2026-06-11T06:10:09","modified_gmt":"2026-06-11T10:10:09","slug":"github-to-disable-npm-install-scripts-by-default-to-stop-supply-chain-attacks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/11\/github-to-disable-npm-install-scripts-by-default-to-stop-supply-chain-attacks\/","title":{"rendered":"GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/github-to-disable-npm-install-scripts.html\">GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/github-to-disable-npm-install-scripts.html\">https:\/\/thehackernews.com\/2026\/06\/github-to-disable-npm-install-scripts.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-11 02:23:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Jun 11, 2026<\/span><\/span><span class=\"p-tags\">Developer Security \/ Software Supply Chain<\/span><\/p>\n<p>GitHub has announced what it said are &#8220;breaking changes&#8221; coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats.<\/p>\n<p>The changes aim to combat attack techniques that abuse the &#8220;npm install&#8221; command to trigger the execution of malicious code using npm lifecycle hooks. &#8220;Npm install&#8221; is used to download and install all the necessary dependencies for a Node.js project. Version 12 is scheduled for release next month.<\/p>\n<p>Describing install-time lifecycle scripts as the &#8220;single largest code-execution surface in the npm ecosystem,&#8221; GitHub said the &#8220;npm install&#8221; command runs scripts from every transitive dependency, as a result of which a single compromised package anywhere in the dependency tree can run arbitrary code on a developer machine or CI runner.<\/p>\n<p>By blocking such behaviours, the idea is to require explicit user approval before code execution is initiated automatically during &#8220;npm install&#8221; as opposed to being trusted by default. &#8220;Making script execution opt-in closes that path while keeping it one command away for the packages you trust,&#8221; GitHub said.<\/p>\n<p>The changes are listed below &#8211;<\/p>\n<ul>\n<li>npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in the project.<\/li>\n<li>npm install will no longer resolve Git dependencies, either direct or transitive, unless explicitly allowed via &#8211;allow-git.<\/li>\n<li>npm install will no longer resolve dependencies from remote URLs, such as https tarballs, unless explicitly allowed via &#8211;allow-remote.<\/li>\n<\/ul>\n<p>&#8220;This includes native node-gyp builds (i.e., a package with a binding.gyp and no explicit install script still gets blocked, because npm runs an implicit node-gyp rebuild for it),&#8221; the Microsoft-owned subsidiary said about changes to the default &#8220;allowScripts&#8221; behavior. &#8220;prepare scripts from git, file, and link dependencies are blocked the&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/github-to-disable-npm-install-scripts.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks https:\/\/thehackernews.com\/2026\/06\/github-to-disable-npm-install-scripts.html Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":270041,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi_yyoUTLr71Ug2Ge0R7qFSnlGjB3TzlrQ-2NDR5jpPSBjivUSxhxRV1eCg5E6Af15RbJLZpqg9Ohp9ZW9YC9D2oc3VcHrNYQetavvvarn-Pn1P4VWnMw2C-hXbFgplFW9O8pe-zSP9ABGkkR-LM8hhu370dXMgeV-TGQT2p9N7hd7Friim3UkdK5FfyHHp\/s16000\/npm-github.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[],"class_list":["post-270040","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/270040"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=270040"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/270040\/revisions"}],"predecessor-version":[{"id":270042,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/270040\/revisions\/270042"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/270041"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=270040"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=270040"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=270040"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}