GitHub's npm package manager will ship its most significant security redesign in years this July, when npm v12 makes three long-automatic install behaviors require explicit developer approval for the first time. Any engineering team running npm install in CI/CD pipelines without preparing before the upgrade will discover broken builds the moment v12 lands — a window that may now be measured in weeks, not months.
The change responds directly to a wave of supply chain attacks that made 2025 the worst year on record for the npm ecosystem. Attackers published nearly 455,000 malicious packages that year, exploiting a mechanism that has existed since npm's earliest design: the ability for any dependency to execute arbitrary shell commands the moment a developer runs npm install.
npm Install Scripts Have Always Been a Silent Code-Execution Door
Every time a developer installs a Node.js project's dependencies today, the package manager hands execution rights to every package in the dependency tree — including packages several levels deep the developer has never audited. Packages can define preinstall, install, and postinstall lifecycle scripts that run automatically and silently, with the full permissions of the user running the install.
GitHub described this as the "single largest code-execution surface" in the npm ecosystem. The average npm project pulls in 79 transitive dependencies, and any one of those packages can carry a malicious install script that runs without warning.
The attack surface is larger than most developers realize. Only about 2% of npm packages actually need install scripts to function — the vast majority use them as a convenience shortcut for build steps that could be performed explicitly instead. Under npm's current architecture, however, 100% of packages carry the legal right to run arbitrary code at install time. npm v12 narrows that 98% unnecessary attack surface to zero by default.
Read more: Red Hat npm Packages Compromised, 57 More Follow: Signed Attestations Cannot Block Pipeline Hijack
How npm v12 Works: Allowlist in Source Control
In v12, allowScripts defaults to off. When a developer runs npm install, the package manager checks the project's package.json for an explicit allowlist before running any lifecycle scripts from any dependency. Packages not on the list have their scripts silently blocked.
The allowlist is not a flag that disappears after a session — it is written to package.json and committed to source control. This means security teams can review it in pull requests, diff it against prior versions, and audit exactly which packages are authorized to execute code at install time. It is the first time npm has created a visible, version-controlled record of that trust decision.
The v12 change also closes a second attack vector that --ignore-scripts — npm's existing manual flag — could not address. When a project depends on a Git repository rather than a registry package, that repository's .npmrc file can override the Git executable used during installation. Attackers exploited this to execute code even on projects where developers believed --ignore-scripts had eliminated the risk. In v12, --allow-git defaults to none, blocking all Git dependencies (direct and transitive) unless explicitly approved.
A third change blocks remote URL dependencies — HTTPS tarballs and similar non-registry sources — by defaulting --allow-remote to none. This closes an attack vector where a malicious package at a remote URL could be substituted for an internal one.
One vector worth naming explicitly: the "Phantom Gyp" technique. An attacker who places a 157-byte binding.gyp file inside a compromised package triggers npm's implicit node-gyp rebuild call — an automatic C/C++ compilation step that npm runs for any package with that file, with no lifecycle script required and no --ignore-scripts protection. npm v12's allowScripts block catches this vector directly. The June 2026 Miasma worm used this exact technique to compromise 57 packages in a second wave after its initial 32-package campaign against Red Hat's official npm namespace.
Why This Is Happening Now
The Miasma supply chain attack of June 1, 2026 demonstrated in real time why the timing is no longer optional. The worm compromised 32 packages under Red Hat's official @redhat-cloud-services namespace, then returned two days later with the Phantom Gyp technique to compromise 57 more — all within a two-hour window. Wiz Research documented the second wave on June 4. GitHub published the npm v12 changelog on June 9, five days later.
The accelerating attack pace goes back further. In September 2025, attackers hijacked 18 widely-used packages including debug and chalk — packages found in virtually every Node.js project — with combined weekly downloads exceeding 2.6 billion. In March 2026, the Axios library, one of the most-depended-upon npm packages in existence, was compromised through stolen credentials. Microsoft Threat Intelligence in late May 2026 documented an active dependency confusion campaign targeting organizational namespaces that appeared to be internal corporate tools.
pnpm, a competing package manager, implemented the identical policy — blocking lifecycle scripts by default with an explicit allowlist — in pnpm v10 in January 2025, approximately 18 months before npm. The move attracted significant pushback from the Node.js community at the time but has since been credited with protecting pnpm users from attacks that hit npm projects. GitHub's announcement effectively brings npm's default behavior into alignment with what pnpm and other package managers (Yarn Berry and Bun) have required for years. npm was the last major JavaScript package manager still running dependency install scripts by default.
Mitch Ashley, VP and Practice Lead, Software Lifecycle Engineering and AI-Native Software Engineering at The Futurum Group, described the change as a fundamental rethinking of ecosystem-level trust. "Package installation is shifting from implicit trust to explicit allowlisting at the ecosystem's default layer," Ashley said. "Disabling automatic script execution, Git resolution, and remote fetches by default concedes that detecting malicious packages after publication cannot keep pace with how fast they appear. Engineering and platform teams now own a dependency allowlist committed to source control, and CI must fail builds on unreviewed install scripts. Verifying what executes at install time becomes a standing engineering obligation rather than a security team afterthought."
What npm v12 Does Not Fix
npm v12 is a meaningful reduction in attack surface, not a complete solution. A compromised package can still run malicious code when a developer calls its exported functions at runtime — the allowlist governs install time, not execution time. Compromised maintainer accounts that publish clean-looking code with malicious runtime logic are not addressed by this change. Typosquatting and vulnerable-but-legitimate packages remain outside the scope of v12's defenses.
The allowlist itself introduces a new social engineering surface. A developer who runs npm approve-scripts --all to make warnings disappear quickly defeats the entire purpose of the system — the allowlist becomes meaningless if teams approve every package indiscriminately rather than reviewing each one deliberately.
For open-source projects with complex install-script dependencies, the transition involves real work. The Node-RED team, maintainers of a widely-used open-source IoT platform, have identified 72 packages in their ecosystem with install scripts — 14 using preinstall, 9 using install, and 53 using postinstall. Their developers are currently evaluating whether to maintain prior behavior for users or adopt the new default, acknowledging that the secure choice requires non-trivial ecosystem changes.
How to Use npm approve-scripts Before July
GitHub has built a migration path that does not require waiting for v12 to ship. All three changes are available as advisory warnings in npm 11.16.0 and later — scripts are not blocked yet, but warnings surface wherever v12 would block them.
The recommended workflow: upgrade to npm 11.16.0 or later and run npm install normally. Warnings will appear for every package whose scripts or sources would be blocked by v12 defaults. Run npm approve-scripts --allow-scripts-pending to generate a full list of which packages have install scripts pending approval. Review each package — its purpose, its maintainer history, and whether the install script is genuinely necessary. Approve the ones that are necessary with npm approve-scripts and block the rest with npm deny-scripts. Commit the resulting allowlist in package.json to source control.
For teams that rely on internal HTTPS tarballs or monorepos that pin packages to Git branches, the right long-term fix is migration to a proper registry — GitHub Packages, Nexus, or Artifactory — rather than adding --allow-remote to every CI script. The flag exists and is legitimate for specific cases, but using it as a blanket override reduces the security benefit of the v12 change.
Package maintainers whose packages use install scripts should document the requirement clearly, linking to the npm approve-scripts documentation. The better long-term path is to ship prebuilt binaries using tools such as prebuild, prebuildify, or node-pre-gyp, which eliminate the need for install-time compilation entirely. A package that does not need an install script is a package that cannot be weaponized through one.
The July release date is firm. Teams that have not yet upgraded to npm 11.16.0 should treat that as the first action item.
Frequently Asked Questions
Will npm v12 break my existing projects?
Projects with native add-ons (packages that use node-gyp or contain a binding.gyp file), Git-pinned dependencies, or HTTPS tarball sources will see breaking changes if they upgrade to npm v12 without preparation. Pure JavaScript projects that depend only on registry packages with no install scripts will likely migrate without issues. The fastest way to determine your exposure is to upgrade to npm 11.16.0 and run npm install — warnings will identify every package that v12 would block.
How do I use npm approve-scripts to prepare my CI/CD pipeline?
Run npm approve-scripts --allow-scripts-pending to see a list of all packages with install scripts that are not yet covered by your project's policy. Review each package, approve the ones you trust with npm approve-scripts [package-name], and block the rest with npm deny-scripts. Commit the resulting changes to package.json to source control so the allowlist is available in all CI/CD environments. Avoid approving everything at once with a blanket flag — that defeats the purpose of the allowlist.
Does npm v12 stop all supply chain attacks?
No. npm v12 eliminates install-time script execution as an automatic attack vector, which removes one of the most commonly exploited mechanisms in supply chain attacks. However, malicious code embedded directly in a package's runtime functions — rather than in lifecycle scripts — will still reach developers who install the package. Compromised maintainer accounts, typosquatting, and vulnerable legitimate packages remain outside the scope of these default changes. Security teams should combine npm v12's allowlist controls with additional measures such as lockfile-only CI installs, minimum-release-age settings, and dependency audit tooling.
What is the Phantom Gyp attack that npm v12 blocks?
Phantom Gyp is an attack technique in which an attacker adds a small binding.gyp file to a compromised package. npm interprets any package with that file as a native add-on and automatically runs node-gyp rebuild during installation — even if the package has no explicit install script and even if --ignore-scripts is set. This made --ignore-scripts unreliable as a standalone defense. npm v12's allowScripts block catches this implicit build trigger directly, eliminating the vector without requiring developers to take any additional action beyond migrating to v12.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
