HackMyIP
← Back to News
2026-07-09 The Hacker News

npm 12 Disables Install Scripts by Default to Cut Supply Chain Risk

Supply ChainAuthenticationVulnerability

GitHub has officially released npm 12, the latest version of the world's most widely used JavaScript package manager, with a major security-focused overhaul that disables install scripts by default to mitigate supply chain attacks. The update forces developers to explicitly opt in to running dependency lifecycle scripts (preinstall, install, postinstall) and implicit node-gyp builds, closing a long-exploited attack vector in which malicious packages execute arbitrary code on developer machines during installation.

Three opt-in flags now ship with secure-by-default values: allowScripts is off, --allow-git is set to none (blocking Git-based dependencies from being resolved automatically), and --allow-remote is set to none (blocking remote tarball dependencies). To review and approve trusted scripts, developers must run "npm approve-scripts --allow-scripts-pending" and then commit the resulting allowlist into their package.json. GitHub first previewed these changes last month, urging users to upgrade to npm 11.16.0 or newer to surface warnings about scripts that would be blocked under the new defaults. Developers concerned about credential exposure in their npm configuration can verify their token hygiene with a password strength checker.

Alongside the install-script changes, GitHub is deprecating granular access tokens (GATs) designed to bypass two-factor authentication. Beginning in early August 2026, GATs configured to bypass 2FA will lose the ability to perform sensitive operations including creating or deleting tokens, changing 2FA configuration, modifying package access or maintainers, and managing organization membership. A second change, scheduled for January 2027, will strip GATs of their direct publishing capability, limiting them to reading private packages and staging publishes that require human 2FA approval. GitHub recommends migrating automated publishing to trusted publishing (OIDC) or staged publishing with manual approval, rather than relying on long-lived publish tokens.

The release comes as pnpm 11.10 introduces a new "_auth" setting that stores registry authentication as a single structured, URL-keyed value, ensuring the credential and its host travel together. According to Socket, pnpm reads _auth only from the environment or the global config, never from project files, preventing a tampered pnpm-workspace.yaml or .npmrc from redirecting a valid token to a malicious host. This hardening reflects a broader industry push toward reducing the attack surface of package managers, where a single compromised dependency can cascade into thousands of downstream projects. Organizations auditing their development environments for exposed secrets and misconfigurations can run a broader privacy checkup to identify weak points in their tooling.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Password Checker →Email Breach Check →Privacy Checkup →

Related Guides

Learn the background behind this story:

Password security basics →Two-factor authentication explained →How to create a strong password →