GitHub announced that npm v12 will change default package installation behavior to curb software supply-chain attacks that abuse npm install. The release will require explicit approval before running lifecycle scripts, building native modules with node-gyp, resolving Git-based dependencies, or fetching packages from remote URLs such as HTTPS tarballs. GitHub said the changes remove several automatic code-execution and dependency-resolution paths that attackers have repeatedly used to hide malicious behavior in packages and transitive dependencies executed on developer workstations and CI runners.
The move targets techniques seen in incidents involving malicious preinstall and postinstall scripts, Git dependency abuse, and campaigns tied to packages such as eslint-config-prettier, Toptal’s Picasso packages, and the Shai-Hulud worm. npm maintainers said install-time scripts represent the ecosystem’s largest code-execution surface, though the new defaults will be breaking for some legitimate projects including Playwright, Puppeteer, Electron, and native modules that now must opt in. GitHub urged developers to upgrade to npm 11.16.0 or later ahead of the release so they can receive warnings about workflows that will fail under npm v12’s stricter defaults.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Alongside the npm 12 announcement, GitHub recommended that developers move to npm 11.16.0 or newer so they can receive warnings about breaking changes and prepare workflows before the new defaults arrive.
GitHub announced that npm v12 will change default behavior to reduce software supply-chain attacks during 'npm install'. The new defaults will require explicit approval for lifecycle scripts, native module builds, Git-based dependencies, and remote URL dependency fetching.
The protections that disable risky install-time behaviors were already available as opt-in features in npm 11.10.0 and later, alongside min-release-age. These features preceded the planned npm 12 default changes.
A reopened npm/cli issue proposed setting `ignore-scripts` to `true` by default to prevent automatic execution of package installation scripts. The reporter argued this would reduce supply-chain risk by making script execution explicit and opt-in.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
11 references tracked. Mallory keeps watching after this page renders.
risky.biz
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourcelinuxsecurity.com
Open sourcebleepingcomputer.com
Open sourcegithub.blog
Open sourcesemgrep.dev
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.