GitHub finally pulls the plug on automatic install script execution
Attacks likely to move elsewhere Sonu Kapoor, maintainer for CVE Lite CLI in the OWASP Incubator Project, said that this change is likely to force the supply chain attacks that leveraged the automatic execution to move elsewhere. The changes, currently available as opt-in warnings in npm version 11.16.0 and later, are expected to become the default behavior […] The post GitHub Introduces Automatic Controls to Prevent Malicious npm Install Scripts appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
What Happened
This includes malicious preinstall/postinstall script campaigns targeting eslint-config-prettier, Toptal’s Picasso packages, dozens of data-stealing npm packages, as well as Git dependency abuse documented in Shai-Hulud attacks.
Further details indicate that having developers explicitly approve which packages can run code and commit that list to source control is a form of software supply chain governance that many organizations never had,” Levine said.
GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the ‘npm install’ command.
The main theme of the announcement is that code execution and non-registry dependency sources that currently trigger automatically during npm install will now require explicit approval instead of being trusted by default.
” coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. The changes aim to combat attack techniques that abuse the ”, Spokesperson
Scope
This allows developers running their normal install routines to review these warnings and identify dependencies or workflows that will require explicit approval before upgrading. GitHub recommends that developers prepare for these changes by upgrading to npm 11.16.0 or newer, running the normal install, and reviewing the warnings displayed. “After that, only the scripts you approved keep running once you upgrade.
For Defenders
-
GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the ‘npm install’ command.
-
Developers execute it after cloning a project, pulling updates, or during CI/CD builds, and attackers target it because of the potential for automated code execution during package installation.
-
GitHub says this removes a code execution path where a Git dependency’s .npmrc file could alter which Git executable is used, even when install scripts are disabled.
-
GitHub recommends that developers prepare by upgrading to npm 11.16.0 or newer, which displays warnings on all actions that will break under version 12.
-
By blocking such behaviours, the idea is to require explicit user approval before code execution is initiated automatically during “npm install” as opposed to being trusted by default.
-
“Use npm approve-scripts —allow-scripts-pending to see which packages have scripts, approve the ones you trust, and commit the updated package.json,” it added.
Takeaway
Organizations should review their exposure and apply available mitigations promptly.
Security teams should monitor vendor advisories and threat intelligence sources closely for additional context or updates. Organizations with mature security programs are advised to incorporate this intelligence into their regular risk assessments and prioritize response activities based on exposure and asset criticality. For environments where immediate remediation is not feasible, compensating controls such as network segmentation, enhanced monitoring, and access restrictions should be evaluated. Security leadership should communicate relevant details to operational teams and ensure that incident response capabilities are prepared if exploitation is observed in the wild.
Sources
- https://github.com/orgs/community/discussions/198547
- https://www.bleepingcomputer.com/news/security/github-announces-npm-security-changes-to-tackle-supply-chain-attacks/
- https://thehackernews.com/2026/06/github-to-disable-npm-install-scripts.html
- https://www.csoonline.com/article/4183859/github-finally-pulls-the-plug-on-automatic-install-script-execution-for-npm-2.html
- https://gbhackers.com/github-introduces-automatic-controls-to-prevent-malicious-npm/
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
Microsoft Patches Record 200 Vulnerabilities in June 2026 Patch Tuesday
Microsoft's June 2026 Patch Tuesday fixes a record 200 vulnerabilities, including a critical Active Directory RCE (CVE-2026-45648, CVSS 8.8).
Vulnerabilities & ExploitsAutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution Vulnerability
Microsoft made a similar localhost argument in its Semantic Kernel RCE research, tracked as CVE-2026-26030 and CVE-2026-25592. The issue is tracked as...
Vulnerabilities & ExploitsAttackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer Vulnerability
"Credentials accessible from a developer or administrator workstation may provide entry into production infrastructure, build pipelines, source code...
Vulnerabilities & ExploitsCisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild Vulnerability
Cisco Unified Communications Manager has a serious vulnerability, tracked as CVE-2026-20230 (CVSS score of 8.6), that attackers are already exploiting. The...