Back

GitHub to Disable Automatic npm Script Execution to Combat Supply Chain Attacks

Severity: High (Score: 60.6)

Sources: Csoonline, Theregister, Heise.De, Bleepingcomputer

Published: 2026-06-10 · Updated: 2026-06-11

Keywords: github, longer, automatically, pulls, auto, tackles, riskiest

Summary

GitHub announced that npm v12, set for release in July 2026, will change default settings to enhance security by disabling automatic execution of installation scripts from dependencies. This change aims to mitigate supply chain attacks that exploit the npm install command, which has been a significant attack vector for malicious code execution. Attackers have previously leveraged this feature to execute harmful scripts during package installations, leading to incidents like the Shai-Hulud worm. The new version will require explicit approval for scripts to run, significantly narrowing the risk surface. Developers will need to review their dependencies and approve scripts manually to maintain functionality. While this change is a step forward, experts warn that attackers may shift to other methods, such as malicious package code or compromised maintainer accounts. The npm ecosystem, which includes numerous direct and indirect dependencies, remains vulnerable to various attack vectors despite this update. GitHub's decision follows years of escalating supply chain attacks and aims to enhance security in the Node.js environment. Key Points: • npm v12 will disable automatic execution of installation scripts by default. • Developers must explicitly approve scripts and Git dependencies to mitigate risks. • Experts caution that while this change improves security, attackers may adapt their methods.

Detailed Analysis

**Impact** The change affects all developers and organizations using npm, the standard package manager for Node.js, which supports millions of projects worldwide. Supply chain attacks exploiting automatic execution of install scripts have led to data theft, credential interception, and malware deployment across sectors reliant on JavaScript ecosystems, including software development, CI/CD pipelines, and cloud services. The update reduces the risk of widespread automated compromise but does not eliminate threats from other vectors such as compromised maintainer accounts or malicious runtime code. **Technical Details** The primary attack vector involves automatic execution of lifecycle scripts (preinstall, install, postinstall) during `npm install`, enabling arbitrary code execution on developer machines or CI runners. Notable malware like the Shai-Hulud worm exploited this vector. The update disables these scripts by default, requiring explicit allowlisting via `allow-scripts`. Additional mitigations include blocking Git and remote URL dependencies unless explicitly approved, closing attack paths involving malicious `.npmrc` overrides and untraceable external sources. No specific CVEs or IOCs were detailed in the sources. **Recommended Response** Developers should upgrade to npm 11.16.0 or later immediately to begin receiving warnings about blocked scripts and dependencies, and prepare for the default changes in npm 12 by reviewing and approving necessary scripts via the allowlist. Remove any `ignore-scripts` flags that conflict with the new allowlist approach. Security teams should monitor for unauthorized script execution attempts and audit CI/CD pipelines for dependencies requiring explicit approval. Organizations should track community discussions for further updates and adjust policies to restrict Git and remote dependencies.

Source articles (4)

  • npm tackles its riskiest security issues — Heise.De · 2026-06-10
    With npm v12, GitHub is eliminating several security-critical default settings of the Node.js package manager. The main version, announced for July 2026, will no longer automatically execute installat…
  • GitHub pulls pin on npm's auto — Theregister · 2026-06-10
    Shai-Hulud worm exploited exactly this. Better late than never, says everyone except the malware authors GitHub will change npm's defaults so the install command no longer runs scripts automatically,…
  • GitHub announces npm security changes to tackle supply — Bleepingcomputer · 2026-06-10
    GitHub has announced that npm v12, expected month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the 'npm install' command. 'npm…
  • GitHub finally pulls the plug on automatic install script execution for npm — Csoonline · 2026-06-11
    The ability for attackers to leverage automatic install script execution in npm will finally come to an end when expected changes arrive from GitHub in July. Coders will still be able to enable the fu…

Timeline

  • 2026-06-10 — GitHub announces npm v12 changes: GitHub revealed that npm v12 will block automatic execution of installation scripts and require explicit approvals for dependencies.
  • 2026-06-10 — Security experts comment on npm changes: Experts highlighted that while the changes reduce risks, attackers may shift to other exploitation methods.
  • 2026-06-10 — npm v12 expected release: The new version of npm is set to be released in July 2026, implementing significant security-focused changes.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Shai-Hulud Attacks (Campaign)
  • german.it (Domain)
  • Shai-hulud (Malware)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • Git (Tool)
  • Node.js (Tool)
  • Npm (Tool)
  • GitHub (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed