GitHub finally pulls the plug on automatic install script execution...

Attacks likely to move elsewhere Sonu Kapoor, maintainer for CVE Lite CLI in the OWASP Incubator Project, said that this change is likely to force the supply chain attacks that leveraged the automatic execution to move elsewhere. The changes, currently available as opt-in warnings in npm version 11.16.0 and later, are expected to become the default behavior […] The post GitHub Introduces Automatic Controls to Prevent Malicious npm Install Scripts appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

What Happened

This includes malicious preinstall/postinstall script campaigns targeting eslint-config-prettier, Toptal’s Picasso packages, dozens of data-stealing npm packages, as well as Git dependency abuse documented in Shai-Hulud attacks.

Further details indicate that having developers explicitly approve which packages can run code and commit that list to source control is a form of software supply chain governance that many organizations never had,” Levine said.

GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the ‘npm install’ command.

The main theme of the announcement is that code execution and non-registry dependency sources that currently trigger automatically during npm install will now require explicit approval instead of being trusted by default.

” coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. The changes aim to combat attack techniques that abuse the ”, Spokesperson

Scope

This allows developers running their normal install routines to review these warnings and identify dependencies or workflows that will require explicit approval before upgrading. GitHub recommends that developers prepare for these changes by upgrading to npm 11.16.0 or newer, running the normal install, and reviewing the warnings displayed. “After that, only the scripts you approved keep running once you upgrade.

For Defenders

1. GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the ‘npm install’ command.

2. Developers execute it after cloning a project, pulling updates, or during CI/CD builds, and attackers target it because of the potential for automated code execution during package installation.

3. GitHub says this removes a code execution path where a Git dependency’s .npmrc file could alter which Git executable is used, even when install scripts are disabled.

4. GitHub recommends that developers prepare by upgrading to npm 11.16.0 or newer, which displays warnings on all actions that will break under version 12.

5. By blocking such behaviours, the idea is to require explicit user approval before code execution is initiated automatically during “npm install” as opposed to being trusted by default.

6. “Use npm approve-scripts —allow-scripts-pending to see which packages have scripts, approve the ones you trust, and commit the updated package.json,” it added.

Takeaway

Organizations should review their exposure and apply available mitigations promptly.

Security teams should monitor vendor advisories and threat intelligence sources closely for additional context or updates. Organizations with mature security programs are advised to incorporate this intelligence into their regular risk assessments and prioritize response activities based on exposure and asset criticality. For environments where immediate remediation is not feasible, compensating controls such as network segmentation, enhanced monitoring, and access restrictions should be evaluated. Security leadership should communicate relevant details to operational teams and ensure that incident response capabilities are prepared if exploitation is observed in the wild.

Sources

1. https://github.com/orgs/community/discussions/198547
2. https://www.bleepingcomputer.com/news/security/github-announces-npm-security-changes-to-tackle-supply-chain-attacks/
3. https://thehackernews.com/2026/06/github-to-disable-npm-install-scripts.html
4. https://www.csoonline.com/article/4183859/github-finally-pulls-the-plug-on-automatic-install-script-execution-for-npm-2.html
5. https://gbhackers.com/github-introduces-automatic-controls-to-prevent-malicious-npm/