NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks
Starting with NPM version 12, the default behavior of npm install will change to block execution of scripts from dependencies unless explicitly allowed. This change aims to prevent supply chain attacks that have exploited automatic script execution during package installation. The update also restricts resolution of Git and remote URL dependencies unless permitted. Developers can pre-approve trusted scripts to maintain functionality while blocking untrusted ones.
AI Analysis
Technical Summary
In response to recent supply chain attacks abusing automatic script execution during npm install, GitHub announced that NPM 12 will disable execution of preinstall, install, and postinstall scripts from dependencies by default. This change also affects native node-gyp builds and prepare scripts from git, file, and link dependencies. Git and remote URL dependencies will no longer be resolved automatically unless explicitly allowed. Developers can use npm approve-scripts to create an allowlist of trusted scripts, which is stored in package.json. This mitigates attack vectors exploited by malware such as the Shai-Hulud worm and TeamPCP incidents.
Potential Impact
The change reduces the risk of supply chain attacks that rely on executing malicious scripts during npm install, which previously infected thousands of developers. By blocking script execution by default, it prevents automatic execution of potentially harmful code embedded in dependencies. However, it may require developers to explicitly approve scripts needed for legitimate builds, potentially impacting some workflows until adjusted.
Mitigation Recommendations
Upgrade to NPM version 11.16.0 or later to receive warnings about script execution during install. Use the npm approve-scripts command to review and explicitly allow trusted scripts, committing the resulting allowlist to package.json. When upgrading to NPM 12, only approved scripts will run by default, blocking untrusted ones. No urgent action is required beyond upgrading and managing script approvals, as this change is a security improvement to prevent supply chain attacks.
NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks
Description
Starting with NPM version 12, the default behavior of npm install will change to block execution of scripts from dependencies unless explicitly allowed. This change aims to prevent supply chain attacks that have exploited automatic script execution during package installation. The update also restricts resolution of Git and remote URL dependencies unless permitted. Developers can pre-approve trusted scripts to maintain functionality while blocking untrusted ones.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In response to recent supply chain attacks abusing automatic script execution during npm install, GitHub announced that NPM 12 will disable execution of preinstall, install, and postinstall scripts from dependencies by default. This change also affects native node-gyp builds and prepare scripts from git, file, and link dependencies. Git and remote URL dependencies will no longer be resolved automatically unless explicitly allowed. Developers can use npm approve-scripts to create an allowlist of trusted scripts, which is stored in package.json. This mitigates attack vectors exploited by malware such as the Shai-Hulud worm and TeamPCP incidents.
Potential Impact
The change reduces the risk of supply chain attacks that rely on executing malicious scripts during npm install, which previously infected thousands of developers. By blocking script execution by default, it prevents automatic execution of potentially harmful code embedded in dependencies. However, it may require developers to explicitly approve scripts needed for legitimate builds, potentially impacting some workflows until adjusted.
Mitigation Recommendations
Upgrade to NPM version 11.16.0 or later to receive warnings about script execution during install. Use the npm approve-scripts command to review and explicitly allow trusted scripts, committing the resulting allowlist to package.json. When upgrading to NPM 12, only approved scripts will run by default, blocking untrusted ones. No urgent action is required beyond upgrading and managing script approvals, as this change is a security improvement to prevent supply chain attacks.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/npm-12-will-change-script-execution-behavior-to-prevent-supply-chain-attacks/","fetched":true,"fetchedAt":"2026-06-13T15:54:24.197Z","wordCount":1060}
Threat ID: 6a2d7d30e617e2d834043568
Added to database: 6/13/2026, 3:54:24 PM
Last enriched: 6/13/2026, 3:54:30 PM
Last updated: 6/14/2026, 4:57:31 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.