Post
MEDIUM

GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

· npm · supply-chain · github · devsecops

GitHub announced that npm version 12 will disable install scripts by default as part of a broader set of breaking changes targeting supply chain attacks. Install scripts triggered via npm lifecycle hooks during “npm install” have been a common vector for malicious package payloads. Disabling them by default removes a major automatic code-execution path for compromised or malicious npm packages. Maintainers and CI pipelines that rely on install scripts for legitimate build steps will need to explicitly opt back in once npm 12 ships.