The gist: npm 12 makes the execution of install scripts an opt-in rather than opt-out, thereby closing a supply-chain attack surface.
GitHub has released npm version 12 and automatically disables executable install scripts by default. In parallel, the ability to bypass two-factor authentication with granular access tokens is being discontinued.
GitHub (Microsoft) has introduced a new security model for package installation in npm version 12. The central change: the allowScripts setting is now disabled by default. This means that installation, postinstall, and postuninstall scripts, which were previously executed automatically when packages were fetched, must now be explicitly approved.
This measure targets an established attack surface in JavaScript dependency chains. Malware authors regularly exploit such automatic scripts to execute malicious code — for example for data exfiltration or cryptomining. By preventing automatic execution, npm forces developers to consciously approve every script execution or re-examine dependencies before allowing them to run.
In parallel, GitHub is discontinuing granular access tokens (GATs). These had previously been a workaround to bypass two-factor authentication — a known vector for account takeovers and malicious package publishing. With this elimination, GitHub strengthens the enforcement of 2FA on privileged operations.
For CTOs, this means concretely: development and CI/CD pipelines must be adjusted if they rely on automatic script execution. At the same time, the risk of supply-chain attacks on npm packages decreases significantly — a point that is also relevant in the NIS2 Directive on supply-chain security.
Source: thehackernews.com · Published July 9, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.