Close Menu

    Subscribe to Updates

    Get the latest creative news from infofortech

    What's Hot

    AWS Security Hub expands coverage to Microsoft Azure and beefs up AI protections

    July 14, 2026

    Why Personalized Lead Data Analysis Beats Bulk Reporting Every Single Time

    July 14, 2026

    Grunge meets slop: An AI time traveler visits 1992 Seattle when music, not tech, ruled the city

    July 14, 2026
    Facebook X (Twitter) Instagram
    InfoForTech
    • Home
    • Latest in Tech
    • Artificial Intelligence
    • Cybersecurity
    • Innovation
    Facebook X (Twitter) Instagram
    InfoForTech
    Home»Cybersecurity»npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk
    Cybersecurity

    npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk

    InfoForTechBy InfoForTechJuly 9, 2026No Comments3 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
    npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk
    Share
    Facebook Twitter LinkedIn Pinterest Telegram Email


    Ravie LakshmananJul 09, 2026Supply Chain Security / DevSecOps

    GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA).

    The Microsoft-owned subsidiary noted that the following npm install behaviors that used to run automatically before have been made opt-in –

    • allowScripts defaults to off, meaning dependency lifecycle scripts (i.e., preinstall, install, postinstall) and implicit node-gyp builds no longer run unless explicitly allowed.
    • –allow-git defaults to none, meaning –allow-git defaults to none: Git dependencies (direct or transitive) are no longer resolved unless explicitly allowed.
    • –allow-remote defaults to none, meaning dependencies from remote URLs (e.g., https tarballs) are no longer resolved unless explicitly allowed.

    To review and approve trusted scripts, users are now required to run: “npm approve-scripts –allow-scripts-pending,” then commit the resulting allowlist in the “package.json” file.

    It’s worth noting that these changes were previewed last month, with GitHub recommending developers to upgrade to npm 11.16.0 or newer, run the normal install command, and review the warnings displayed.

    The latest npm release version also introduces two new changes –

    • npm GATs configured to bypass 2FA will no longer be able to perform sensitive account, package, and organization management actions. This includes creating or deleting tokens, generating recovery codes and changing npm account password, email, profile, or 2FA configuration, changing package access, maintainers, or trusted publishing configuration, and managing organization and team membership as well as their package grants.
    • npm GATs will no longer retain the ability to publish directly. Their publishing surface will be limited to reading private packages and staging a publish, where a package only becomes public after a human 2FA approval.

    The first of two changes is expected to take effect in early August 2026. In the interim, it’s advised to stop using 2FA-bypass tokens for the aforementioned operations and perform them interactively with 2FA. The second change is scheduled for January 2027.

    “To prepare, plan to move automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step, rather than a long-lived publish token,” GitHub said.

    The development comes as pnpm 11.10 introduces a new “_auth” setting for configuring registry authentication as a single structured, URL-keyed value.

    “The security benefit is that the credential and the host it belongs to travel together, and pnpm reads _auth only from the environment or the global config, never from a project’s files,” Socket explained.

    “That means a malicious or compromised pnpm-workspace.yaml or .npmrc inside a repository cannot point a valid token at a different host. A tampered project file is a common way attackers get a foothold, and redirecting a registry token is a direct route to stealing it, so closing that path removes exposure.”

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    InfoForTech
    • Website

    Related Posts

    U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support

    July 14, 2026

    CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

    July 13, 2026

    Rokarolla Android Malware, How to Protect Your Banking Apps

    July 13, 2026

    Europe Must Sell Intelligence, Not Electrons

    July 13, 2026

    Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

    July 12, 2026

    Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

    July 12, 2026
    Leave A Reply Cancel Reply

    Advertisement
    Top Posts

    DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

    March 20, 202638 Views

    Microsoft is bringing an AI helper to Xbox consoles

    March 14, 202618 Views

    Why Security Validation Is Becoming Agentic

    March 16, 202616 Views

    This is the tech that makes Volvo’s latest EV a major step forward

    January 24, 202616 Views
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Advertisement
    About Us
    About Us

    Our mission is to deliver clear, reliable, and up-to-date information about the technologies shaping the modern world. We focus on breaking down complex topics into easy-to-understand insights for professionals, enthusiasts, and everyday readers alike.

    We're accepting new partnerships right now.

    Facebook X (Twitter) YouTube
    Most Popular

    DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

    March 20, 202638 Views

    Microsoft is bringing an AI helper to Xbox consoles

    March 14, 202618 Views

    Why Security Validation Is Becoming Agentic

    March 16, 202616 Views
    Categories
    • Artificial Intelligence
    • Cybersecurity
    • Innovation
    • Latest in Tech
    © 2026 All Rights Reserved InfoForTech.
    • Home
    • About Us
    • Contact Us
    • Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.