CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 10, 2026

GitHub announces npm security changes to tackle supply-chain attacks

Bleeping Computer Archived Jun 10, 2026 ✓ Full text saved

GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the 'npm install' command. [...]

Full text archived locally
✦ AI Summary · Claude Sonnet


    GitHub announces npm security changes to tackle supply-chain attacks By Bill Toulas June 10, 2026 03:41 PM 0 GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the 'npm install' command. 'npm install' is the command used to download and install a project's dependencies and run any install-related scripts defined by the packages. Developers execute it after cloning a project, pulling updates, or during CI/CD builds, and attackers target it because of the potential for automated code execution during package installation. The main theme of the announcement is that code execution and non-registry dependency sources that currently trigger automatically during npm install will now require explicit approval instead of being trusted by default. Specifically, GitHub announced the following changes: Starting in version 12, npm install will not run preinstall, install, or postinstall scripts from dependencies unless they have been explicitly approved. This also applies to native module builds triggered through node-gyp, and prepare scripts from Git, local file, and linked dependencies. npm install will no longer fetch dependencies from Git repositories, whether direct or transitive, unless explicitly permitted. GitHub says this removes a code execution path where a Git dependency's .npmrc file could alter which Git executable is used, even when install scripts are disabled. Dependencies installed from remote URLs, such as HTTPS tarballs, will no longer be resolved unless explicitly permitted. This applies to both direct and transitive dependencies. These changes can significantly reduce supply-chain attacks by removing the automatic execution of dependency installation scripts, the automatic resolution of Git-based dependencies, and the automatic resolution of remote URL dependencies. The new defaults could have disrupted several attack techniques used in recent supply-chain attacks. This includes malicious preinstall/postinstall script campaigns targeting eslint-config-prettier, Toptal's Picasso packages, dozens of data-stealing npm packages, as well as Git dependency abuse documented in Shai-Hulud attacks. Projects that rely on any of these behaviors for legitimate workflows will need to explicitly opt in before upgrading to npm v12. GitHub recommends that developers prepare by upgrading to npm 11.16.0 or newer, which displays warnings on all actions that will break under version 12. This allows developers running their normal install routines to review these warnings and identify dependencies or workflows that will require explicit approval before upgrading. After upgrading to version 12, only explicitly approved scripts and dependency sources will continue functioning automatically. A community discussion has been opened for developers to share their suggestions on the upcoming changes. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen. The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: GitHub disables Microsoft repos pushing password-stealing malware New IronWorm malware hits 36 packages in npm supply-chain attack New Shai-Hulud malware wave compromises 600 npm packages Shai Hulud attack ships signed malicious TanStack, Mistral npm packages Popular node-ipc npm package compromised to steal credentials
    💬 Team Notes
    Article Info
    Source
    Bleeping Computer
    Category
    ◇ Industry News & Leadership
    Published
    Jun 10, 2026
    Archived
    Jun 10, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗