Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Progress Restores ShareFile Storage Access After Security Warning

July 15, 2026

npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk

July 15, 2026

Phishing Campaign Abuses eCards to Deploy RMM Tools

July 15, 2026
Facebook X (Twitter) Instagram
Thursday, July 16
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk
News

npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk

Team-CWDBy Team-CWDJuly 15, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA).

The Microsoft-owned subsidiary noted that the following npm install behaviors that used to run automatically before have been made opt-in –

  • allowScripts defaults to off, meaning dependency lifecycle scripts (i.e., preinstall, install, postinstall) and implicit node-gyp builds no longer run unless explicitly allowed.
  • –allow-git defaults to none, meaning –allow-git defaults to none: Git dependencies (direct or transitive) are no longer resolved unless explicitly allowed.
  • –allow-remote defaults to none, meaning dependencies from remote URLs (e.g., https tarballs) are no longer resolved unless explicitly allowed.

To review and approve trusted scripts, users are now required to run: “npm approve-scripts –allow-scripts-pending,” then commit the resulting allowlist in the “package.json” file.

It’s worth noting that these changes were previewed last month, with GitHub recommending developers to upgrade to npm 11.16.0 or newer, run the normal install command, and review the warnings displayed.

The latest npm release version also introduces two new changes –

  • npm GATs configured to bypass 2FA will no longer be able to perform sensitive account, package, and organization management actions. This includes creating or deleting tokens, generating recovery codes and changing npm account password, email, profile, or 2FA configuration, changing package access, maintainers, or trusted publishing configuration, and managing organization and team membership as well as their package grants.
  • npm GATs will no longer retain the ability to publish directly. Their publishing surface will be limited to reading private packages and staging a publish, where a package only becomes public after a human 2FA approval.

The first of two changes is expected to take effect in early August 2026. In the interim, it’s advised to stop using 2FA-bypass tokens for the aforementioned operations and perform them interactively with 2FA. The second change is scheduled for January 2027.

“To prepare, plan to move automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step, rather than a long-lived publish token,” GitHub said.

The development comes as pnpm 11.10 introduces a new “_auth” setting for configuring registry authentication as a single structured, URL-keyed value.

“The security benefit is that the credential and the host it belongs to travel together, and pnpm reads _auth only from the environment or the global config, never from a project’s files,” Socket explained.

“That means a malicious or compromised pnpm-workspace.yaml or .npmrc inside a repository cannot point a valid token at a different host. A tampered project file is a common way attackers get a foothold, and redirecting a registry token is a direct route to stealing it, so closing that path removes exposure.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticlePhishing Campaign Abuses eCards to Deploy RMM Tools
Next Article Progress Restores ShareFile Storage Access After Security Warning
Team-CWD
  • Website

Related Posts

News

Progress Restores ShareFile Storage Access After Security Warning

July 15, 2026
News

Phishing Campaign Abuses eCards to Deploy RMM Tools

July 15, 2026
News

Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories

July 15, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Is Poshmark safe? How to buy and sell without getting scammed

February 19, 2026

A stealthy RAT burrowing deep into Android devices

May 26, 2026

AI-powered financial scams swamp social media

September 11, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.