Cybersecurity

GitHub Bolsters npm Security to Thwart Supply-Chain Attacks

Analyst 207||Source: BleepingComputer
Developer workspace with laptop, terminal, and notes, hinting at software installation.

GitHub announced that npm v12, expected next month, will change the default behavior of "npm install" so that actions that currently run automatically — including install scripts and non-registry dependency resolution — will instead require explicit approval. For developers, CI/CD pipelines, and security teams, the change aims to remove automated code-execution paths that attackers have repeatedly exploited in supply‑chain incidents.

What npm v12 will change: scripts, Git sources, and remote URLs

GitHub set out three concrete defaults that will shift in version 12:

  • npm install will not run preinstall, install, or postinstall scripts from dependencies unless those scripts have been explicitly approved. This rule also applies to native module builds triggered through node-gyp, and to prepare scripts that come from Git, local file, and linked dependencies.
  • npm install will no longer fetch dependencies from Git repositories, whether direct or transitive, unless the use of Git dependencies is explicitly permitted. GitHub says removing this path eliminates a route where a Git dependency's .npmrc file could change which Git executable is used, a vector that could be abused even when install scripts are disabled.
  • Dependencies installed from remote URLs — for example, HTTPS tarballs — will no longer be resolved unless explicitly permitted. This applies to both direct and transitive dependencies.

How these defaults close attack paths used in recent incidents

GitHub frames the changes as targeted reductions in three common supply‑chain techniques. Blocking automatic execution of install-related scripts directly addresses campaigns that relied on malicious preinstall/postinstall hooks. The announcement cites several categories of past abuse that would have been disrupted by the new defaults: malicious script campaigns targeting eslint-config-prettier; the Toptal "Picasso" packages; dozens of data‑stealing npm packages; and Git dependency abuse documented in Shai‑Hulud attacks.

Separately, refusing to resolve Git dependencies by default aims to eliminate a particular trick: a Git dependency shipping an .npmrc that alters which Git executable is invoked during install. Finally, preventing automatic resolution of remote URL dependencies closes the opportunity for an attacker to point a dependency at an external HTTPS tarball that contains arbitrary code.

Preparing to upgrade: use npm 11.16.0 to surface breaking actions

GitHub recommends that developers prepare for the change by upgrading to npm 11.16.0 or newer. That release displays warnings for all actions that will break under version 12, allowing teams to run their normal install routines and identify dependencies or workflows that will require explicit approval before upgrading. The company warns that after upgrading to version 12, only explicitly approved scripts and dependency sources will continue to function automatically.

What this means for developers, security teams, and CI/CD build engineers

  • Developers: projects that rely on preinstall/install/postinstall scripts, Git dependencies, or remote URL tarballs for legitimate workflows will need to explicitly opt in for those behaviors before moving to npm v12; otherwise those workflows will stop functioning automatically.
  • Security teams: the new defaults should reduce automatic execution and source‑resolution attack surfaces, but teams must still inventory and approve required scripts and non‑registry sources so build pipelines do not break unexpectedly.
  • CI/CD build engineers: pipelines that assume unobstructed, automated installs should run npm 11.16.0 to surface warnings, then add explicit approvals where necessary to ensure continuity once v12 is deployed.

Community discussion and next steps

GitHub has opened a community discussion so developers can share suggestions about the upcoming changes. The company frames the shift as a move away from trusting install-time code execution and non-registry sources by default; projects that rely on those behaviors for legitimate workflows must opt in before upgrading to npm v12. The announcement positions the change as a preventive step that can "significantly reduce supply‑chain attacks" by removing automatic execution of dependency installation scripts and automatic resolution of Git-based and remote‑URL dependencies.

GitHub's timeline — "expected next month" for npm v12 — sets an immediate clock for teams to run npm 11.16.0, review the warnings it emits, and decide which scripts and dependency sources to explicitly approve. Whether teams will opt in to preserve existing workflows or move to the more restrictive defaults will determine how quickly the new protections take effect in the wild.

Original story: https://www.bleepingcomputer.com/news/security/github-announces-npm-security-changes-to-tackle-supply-chain-attacks/

Ci/CdCode ExecutionEmerging ThreatsGithubNpmSupply ChainVulnerability ManagementAutomated Attacks
Related Intelligence

Continue Reading

Federal cybersecurity team in a bright, secure operations center with a large window.

CISA Overhauls Vulnerability Patching with Smarter Prioritization Directive

The Cybersecurity and Infrastructure Security Agency (CISA) has rolled out a game-changing directive that revolutionizes vulnerability patching with a smarter approach to prioritization, empowering federal agencies to tackle fixes more efficiently. By introducing clear guidelines and timelines, CISA is helping agencies focus on the most critical patches first, based on criteria like exposure, exploitability, and real-world threat activity.

Analyst 207
Office worker sits at desk with laptop, surrounded by papers, with a concerned expression.

Browser-Based Phishing Attacks Evade Detection by Cybersecurity Software

Most cybersecurity tools are doing their job - but that's exactly the problem, as they're not designed to catch attacks that occur at the browser session layer, where attackers are now hiding. One in five phishing attacks on enterprise browsers slip through undetected, according to Menlo Security's latest report.

Analyst 207
Laptop screen on a neutral surface in a bright, clean tech facility setting.

Fortinet, Ivanti, SAP Patch Critical Vulnerabilities

This week, Fortinet, Ivanti, and SAP issued urgent patch rollouts to fix critical vulnerabilities that could allow hackers to execute remote code or gain unauthorized access to sensitive systems. The flaws, affecting sandboxing infrastructure, mobile gateway software, and core enterprise apps, carry high severity scores and demand immediate attention.

Analyst 207
Developer workstation with laptop, notes, and coding books under indoor lighting.

GitHub Overhauls npm Defaults to Thwart Script-Based Attacks

GitHub is taking a major step to boost npm security by changing its default settings to block automatic execution of install-time lifecycle scripts, a common vulnerability exploited in script-based attacks. Starting with npm 12, these scripts will require explicit permission to run, unless explicitly allowed via a new allowlist mechanism.

Analyst 207