GitHub npm version 12 hardens installs and token management
Security Tool/Service
Summary
Hide ▲
Show ▼
GitHub released npm version 12, making install-time scripts opt-in by default and tightening package publishing controls to reduce supply-chain risk. The update also strips sensitive powers from 2FA-bypass granular access tokens (GATs), limiting token abuse in account and organization management. Developers must now explicitly approve trusted scripts, and automated publishing is being pushed toward trusted publishing (OIDC) or staged publishing with human approval.
Related Happenings
GitHub npm GAT publish-token mitigation guidance
Advisory/Mitigation
H score25
First: 09.07.2026 19:49
Last: 09.07.2026 19:49
Sources 1
How related:
"To prepare, plan to move automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step, rather than a long-lived publish token," GitHub said.
About this happening:
GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...
GitHub npm GAT publish-token mitigation guidance
Advisory/MitigationHow related: "To prepare, plan to move automated publishing to trusted publishing (OIDC) or staged publishing with a human approval step, rather than a long-lived publish token," GitHub said.
About this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware Activity
H score36
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware ActivityAbout this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/Service
H score11
First: 23.06.2026 17:22
Last: 23.06.2026 17:22
Sources 1
About this happening:
GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/ServiceAbout this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/Service
H score11
First: 12.06.2026 16:00
Last: 12.06.2026 16:00
Sources 1
About this happening:
GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/ServiceAbout this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
Timeline
-
09.07.2026 19:49 2 articles · 4h ago
GitHub releases npm version 12 with install scripts off by default
Initial DisclosureGitHub releases npm version 12 with install scripts disabled by default, so dependency lifecycle scripts, implicit node-gyp builds, git dependencies, and remote URL dependencies no longer run or resolve unless explicitly approved. The release also strips sensitive management and direct-publish capabilities from 2FA-bypass granular access tokens, and GitHub says the first token restriction is expected in early August 2026 while the direct-publish restriction is scheduled for January 2027.
Show sources
- npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk — thehackernews.com — 09.07.2026 19:49
- npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk — thehackernews.com — 09.07.2026 19:49