GitHub changes npm security rules to block supply-chain attacks
- Evelyn Carter
- 3 days ago
- 2 min read
Downloading and installing project dependencies is a routine task for developers, but it often carries hidden security risks. To address these vulnerabilities, GitHub has announced significant security-focused modifications arriving with the upcoming npm v12 next month.
How do attackers exploit the npm install command?
Developers run the npm install command to download project dependencies after cloning repositories, pulling updates, or running automated CI/CD builds. Cybercriminals target this command specifically because it allows automated code execution during the installation process, opening the door for unauthorized and malicious scripts to run on a developer's system without explicit consent.
What are the main security updates introduced in npm v12?
The core theme of GitHub's update is moving away from default trust. Code execution and external dependency sources will now require explicit user approval. The major adjustments include:
Disabling automatic script execution: versions starting from npm v12 will stop running preinstall, install, or postinstall scripts from dependencies unless permitted. This restriction covers native module builds triggered via node-gyp and prepare scripts from Git, local files, or linked dependencies.
Blocking automatic Git repository fetching: The tool will no longer fetch direct or transitive dependencies from Git repositories without permission. This eliminates a code execution path where a Git dependency's .npmrc file could alter the Git executable being used.
Restricting remote URL dependency resolution: Dependencies linked via remote URLs, such as HTTPS tarballs, will not be resolved unless explicitly authorized by the developer.
Which cyber threats will these changes mitigate?
Eliminating the automatic execution of installation scripts and the automatic resolution of Git or remote URL dependencies will heavily reduce supply-chain attacks. These new defaults are designed to break the mechanisms used in recent malicious campaigns, such as those targeting eslint-config-prettier, Toptal's Picasso packages, dozens of data-stealing npm libraries, and Git dependency manipulation seen in Shai-Hulud attacks.
How should developers prepare for this upcoming update?
Projects that legitimately rely on these automatic behaviors must explicitly opt-in before upgrading to npm v12. GitHub advises moving to npm 11.16.0 or newer first, as this version displays clear warnings for any actions that will break under the upcoming update. This allows teams to audit their dependencies and workflows before the strict rules of version 12 take effect. Additionally, GitHub has launched a community discussion for developers to share feedback regarding these updates.
Cybersecurity solution form IPSIP Vietnam
The evolution of npm v12 security settings marks an important step in safeguarding development pipelines, underscoring the ongoing need for strict cybersecurity practices within software lifecycles.
To help your organization actively defend against supply-chain threats and open-source vulnerabilities, IPSIP Vietnam delivers advanced security auditing and infrastructure protection solutions.
IPSIP Vietnam engineers specialized, non-commodity testing methodologies aligned directly with complex enterprise architectures. The organization maintains rigorous adherence to global compliance standards, operating under verified ISO 27001:2022 and SOC 2 Type II frameworks.
Utilizing an elite roster of over 80 certified security professionals and leveraging an advanced Network and Security Operations Center NOC 24/7 & SOC 24/7, IPSIP Vietnam ensures corporate assets undergo meticulous, secure, and deeply insightful validation.
References
Comments