GitHub has announced a significant breaking change coming to npm version 12: install scripts will be disabled by default, a move the company says is necessary to combat the ongoing wave of software supply chain attacks that abuse lifecycle hooks to execute malicious code during package installation.
The Problem: Install Scripts as an Attack Vector
When a developer runs npm install, npm executes lifecycle scripts defined in a package's package.json — hooks like preinstall, install, and postinstall. These hooks were designed for legitimate purposes such as compiling native modules or generating configuration files, but they have become a primary mechanism for supply chain attackers.
The technique is well-documented in recent high-profile incidents:
- The Shai-Hulud worm family used malicious
postinstallhooks to spread across developer environments and CI/CD pipelines - TeampCP supply chain campaigns consistently abused npm install hooks to deploy infostealers the moment a compromised package was installed
- The node-ipc incident demonstrated how a widely-trusted package could weaponize install scripts against millions of developers overnight
Because install scripts execute with the same permissions as the developer's shell session, a single malicious package can steal credentials, exfiltrate secrets, install backdoors, or pivot into cloud provider credentials stored on the developer's workstation.
What npm v12 Will Change
According to GitHub's announcement, npm version 12 introduces the following breaking changes:
- Install scripts disabled by default:
preinstall,install,postinstall, and related lifecycle hooks will no longer run automatically duringnpm install - Explicit opt-in required: Developers can re-enable install scripts globally with a configuration flag, or per-package via a new allow-list mechanism
- Audit log integration: When install scripts are permitted to run, npm will log the execution for security audit trails
- CI/CD guidance: GitHub Actions workflows and CI environments will have dedicated documentation for safely re-enabling only required install scripts
Packages that legitimately require install scripts (such as native add-ons like node-gyp dependencies) will need to be explicitly allowed, either by the developer or through a package-level declaration that has been vetted.
Industry Reaction
The change represents a meaningful shift in the balance between developer convenience and supply chain security. Reactions from the developer community have been mixed:
Supporters note that the vast majority of packages do not require install scripts for core functionality, and the security benefit of blocking untrusted code execution at install time is substantial. Security researchers have long advocated for exactly this kind of default-deny approach.
Critics raise concerns about the significant ecosystem disruption — many build toolchains, native bindings, and utility packages rely on install scripts, and updating millions of package.json files and CI pipelines is a non-trivial migration effort.
GitHub has acknowledged the disruption and indicated a migration period with deprecation warnings will precede the hard breaking change in the final npm v12 release.
The Broader Supply Chain Security Context
This announcement comes amid an unprecedented wave of npm supply chain attacks in 2026. The Miasma worm compromised dozens of Microsoft and GitHub repositories. The Mini Shai-Hulud worm spread through compromised maintainer accounts across the npm registry. TeampCP's sustained campaign has targeted major open-source ecosystems including SAP packages, Mistral AI, TanStack, and Checkmarx.
npm's registry hosts over 2.5 million packages and sees billions of downloads per week. A single compromised package with a malicious install script can reach hundreds of thousands of developer machines within hours of publication.
What Developers Should Do Now
In preparation for npm v12:
- Audit your dependencies: Identify which packages in your dependency tree use install scripts by running
npm ls --alland reviewingpackage.jsonfiles for lifecycle hook usage. - Test with
--ignore-scripts: You can simulate the npm v12 default today by runningnpm install --ignore-scriptsand verifying your build still succeeds. - Create an allow-list: Document which packages genuinely require install scripts and prepare your CI/CD configuration to explicitly permit only those.
- Review your CI pipelines: Ensure GitHub Actions workflows and other CI systems will continue to function correctly under the new default.
- Lock your dependency versions: Use
package-lock.jsonand consider tools like Socket.dev or Snyk to monitor for malicious packages before they reach your machines.
The npm install script change is one of the most impactful supply chain security improvements to reach the JavaScript ecosystem in years. The short-term migration pain is a worthwhile trade-off for substantially raising the bar against the commodity supply chain attack techniques that have dominated 2026's threat landscape.