Find notable cyber news and cases, enriched with sources, timelines, and signals.

GitHub npm version 12 hardens installs and token management

Security Tool/Service
First reported
Last updated
Happening score
H score 11
1 unique sources, 1 articles

Summary

Hide ▲

GitHub released npm version 12, making install-time scripts opt-in by default and tightening package publishing controls to reduce supply-chain risk. The update also strips sensitive powers from 2FA-bypass granular access tokens (GATs), limiting token abuse in account and organization management. Developers must now explicitly approve trusted scripts, and automated publishing is being pushed toward trusted publishing (OIDC) or staged publishing with human approval.

Related Happenings

GitHub npm GAT publish-token mitigation guidance

Advisory/Mitigation
H score25 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

How related: "To prepare, plan to move automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step, rather than a long-lived publish token," GitHub said.

About this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...

Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity

Malware Activity
H score36 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

Npm v12 default-blocks install scripts, Git dependencies, and remote URLs

Security Tool/Service
H score11 First: 12.06.2026 16:00 Last: 12.06.2026 16:00 Sources 1

About this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...

Timeline

  1. 09.07.2026 19:49 2 articles · 4h ago

    GitHub releases npm version 12 with install scripts off by default

    Initial Disclosure

    GitHub releases npm version 12 with install scripts disabled by default, so dependency lifecycle scripts, implicit node-gyp builds, git dependencies, and remote URL dependencies no longer run or resolve unless explicitly approved. The release also strips sensitive management and direct-publish capabilities from 2FA-bypass granular access tokens, and GitHub says the first token restriction is expected in early August 2026 while the direct-publish restriction is scheduled for January 2027.

    Show sources