Bottom line: npm 12 disables install scripts by default to make it harder to exploit lifecycle hooks for supply chain attacks.
GitHub is planning a security change for npm 12: installation scripts will now be disabled by default. This aims to prevent attacks via lifecycle hooks during “npm install”, which are currently triggered automatically.
GitHub has announced a series of breaking changes for npm version 12, including the default disabling of install scripts. This measure is designed to block attack techniques that abuse the “npm install” command to trigger malicious code execution via npm lifecycle hooks.
The “npm install” command is used to automatically download and install all necessary dependencies of a project. Currently, lifecycle hooks defined in package files, such as “postinstall” or “preinstall”, can be executed without explicit user intent — an attack vector that threat actors actively exploit to inject malware into dependency chains.
For CTOs, this change means reduced automatic execution of potentially dangerous code in the supply chain. However, disabling install scripts also requires adjustments to CI/CD pipelines and build processes, as legitimate post-install steps (such as compiling native modules) will need to be configured explicitly going forward. The exact migration paths and opt-in mechanisms in npm 12 are relevant for planning upgrade scenarios.
Source: thehackernews.com · Published June 11, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.5.