GitHub says npm 12 will no longer run package install scripts by default, changing behavior that has long let malicious dependencies execute code on developer machines and continuous integration systems. The July release will disable automatic preinstall, install, and postinstall lifecycle scripts unless explicitly allowed with allow-scripts, turn --allow-git off by default, and set allow-remote to none to block remote URL dependency downloads; the move follows repeated supply-chain abuse, including Shai-Hulud-style malicious packages.
Why it matters: Developers and organizations that use npm may need to update build and install workflows before npm 12 ships, but the change should reduce one of the ecosystem's biggest package-based malware risks. Security teams should test projects now, identify legitimate packages that need script exceptions, and tighten CI defaults.
Bill Toulas
2026.06.10
98% relevant
This article directly covers GitHub's announced npm 12 security changes, adding specifics on which install hooks and dependency sources will require explicit approval and noting npm 11.16.0 warnings to help developers prepare.
2026.06.10
100% relevant
This article establishes a distinct ecosystem-level security hardening event: npm/GitHub is changing default package-manager behavior in response to supply-chain abuse, rather than detailing a single compromise or malware campaign.
← Back to all stories