Skip to content

NPM v12 Blocks Installation Scripts – Criticism Over Insufficient Protection

In a nutshell: NPM v12 blocks automatic installation scripts, but provides no protection against account takeovers through which attackers can inject malicious code directly as trusted releases.

The JavaScript package manager NPM will receive enhanced security measures in July 2026 with version 12, which will block installation scripts and external Git dependencies by default. However, security experts criticise that fundamental risks such as account takeovers remain unaddressed.

The key changes in NPM v12 address two central attack vectors in the software supply chain: From July 2026, preinstall, install and postinstall scripts will be blocked by default during npm install and require explicit approval from the developer. Simultaneously, Git dependencies – downloading code from external sources such as GitHub – will be prevented without explicit permission. Since November 2025 (version 11.16.0), developers have already been receiving warning messages to prepare for these changes.

Analysts at security firm OX Security, however, point out that these measures do not address the most fundamental risks. According to security researcher Moshe Siman Tov Bustan, the takeover of maintainer accounts remains a critical vulnerability: once an attacker controls the login credentials of a legitimate package developer, they can distribute malicious code as a trusted, signed release – blocking installation scripts does not help in this case. Similarly, compromised modules can inject malicious code directly during execution (via require() or import) without requiring installation scripts or user confirmations.

The researchers see an additional risk in native builds: packages with C code compiled via node-gyp can also be exploited as an attack vector. OX Security therefore calls for NPM to detect and block malicious code upon package upload – comparable to moderation on social media platforms. Since NPM is operated by GitHub (parent company Microsoft), the security firm sees responsibility with the corporation.

The adjustments follow several incidents in recent times: In March 2026, an attacker hijacks the account of a lead developer of the JavaScript library Axios (over 100 million downloads per week) to distribute malware. Two months later, additional high-traffic packages are endangered through compromised accounts.


Source: www.it-daily.net · Published 2 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: