GitHub to Disable Automatic npm Script Execution to Combat Supply Chain Attacks

GitHub announced that npm v12, set for release in July 2026, will change default settings to enhance security by disabling automatic execution of installation scripts from dependencies. This change aims to mitigate supply chain attacks that exploit the npm install command, which has been a significant attack vector for malicious code execution. Attackers have previously leveraged this feature to execute harmful scripts during package installations, leading to incidents like the Shai-Hulud worm. The new version will require explicit approval for scripts to run, significantly narrowing the risk surface. Developers will need to review their dependencies and approve scripts manually to maintain functionality. While this change is a step forward, experts warn that attackers may shift to other methods, such as malicious package code or compromised maintainer accounts. The npm ecosystem, which includes numerous direct and indirect dependencies, remains vulnerable to various attack vectors despite this update. GitHub's decision follows years of escalating supply chain attacks and aims to enhance security in the Node.js environment.

Key Points: • npm v12 will disable automatic execution of installation scripts by default. • Developers must explicitly approve scripts and Git dependencies to mitigate risks. • Experts caution that while this change improves security, attackers may adapt their methods.