Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/Service
Summary
Hide ▲
Show ▼
GitHub announced npm v12 with default-blocking install scripts, Git dependencies, and remote URLs, shifting package installation to explicit opt-in and reducing supply-chain attack risk. The rollout is scheduled for July 2026 and replaces historically permissive dependency handling across the npm ecosystem. Developers can already move to npm 11.16.0+ and use npm approve-scripts to audit blocked scripts and build local allowlists.
Related Happenings
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/Service
H score11
First: 10.06.2026 22:41
Last: 10.06.2026 22:41
Sources 1
About this happening:
**GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/ServiceAbout this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Asteroiddao hit by network compromise
Incident
H score13
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
Asteroiddao hit by network compromise
IncidentAbout this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
Miasma GitHub and npm supply-chain campaign
Campaign
H score26
First: 02.06.2026 00:38
Last: 02.06.2026 00:38
Sources 1
About this happening:
The **Miasma** supply-chain campaign has expanded into a new **PyPI** branch called **Hades**, with **37 malicious wheel artifacts** across **19 packages**. The compromised releas...
Miasma GitHub and npm supply-chain campaign
CampaignAbout this happening: The **Miasma** supply-chain campaign has expanded into a new **PyPI** branch called **Hades**, with **37 malicious wheel artifacts** across **19 packages**. The compromised releas...
Latest development: 05.06.2026 21:05
A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.
TrapDoor cross-ecosystem supply-chain campaign
Campaign
H score38
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
Timeline
-
10.06.2026 03:00 1 articles · 2d ago
Security experts warn npm v12 could shift attacker focus and create developer friction
Technical Analysis UpdateOn June 10, Paul McCarty warned that the npm v12 changes could become security theatre if developers face enough friction to blindly approve blocked scripts. Isaac Evans also argued that attackers may pivot toward private corporate repositories such as Artifactory and Nexus as public package managers tighten defaults, while legitimate maintainers may adopt suspicious-looking workarounds that complicate triage.
Show sources
- GitHub to Update npm to Thwart Software Supply Chain Attacks — www.infosecurity-magazine.com — 12.06.2026 16:00
-
09.06.2026 03:00 2 articles · 3d ago
GitHub announces npm v12 with default-blocking install scripts, Git dependencies, and remote URLs
Initial DisclosureGitHub announced npm v12 with three security-focused breaking changes that move package installation from implicit trust to explicit opt-in. The rollout is slated to begin in July 2026, and the new defaults will block install scripts, Git dependencies, and remote URLs unless explicitly permitted, with npm 11.16.0 or newer already offering warning and audit support.
Show sources
- GitHub to Update npm to Thwart Software Supply Chain Attacks — www.infosecurity-magazine.com — 12.06.2026 16:00
- GitHub to Update npm to Thwart Software Supply Chain Attacks — www.infosecurity-magazine.com — 12.06.2026 16:00