GitHub's npm Gets Security Overhaul to Block Supply Chain Attacks

GitHub's npm v12 enhances security by blocking install scripts, Git dependencies, and remote URL packages by default from July 2026.

By Content Team

Jun 12, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

GitHub is overhauling npm with version 12, flipping three long-standing permissive defaults to fight software supply chain attacks. Starting July 2026, npm will block install scripts, Git dependencies, and remote URL packages by default — all requiring explicit developer opt-in. Developers can preview the changes now by upgrading to npm v11.16.0.

Security experts are cautiously supportive. Semgrep's Isaac Evans praised the structural approach but warned attackers will pivot to private repositories like Artifactory. Researcher Paul McCarty fears developers will blindly approve blocked scripts just to get builds working — potentially turning the update into security theatre.

Source: Infosecurity Magazine

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Substack Confirms Data Breach Affecting 700,000 Users After Hacker Leaks Information

Feb 6, 2026

Critical Chrome Zero-Day Exploit Code Goes Public After Active Attacks

Mar 3, 2026

Hackers Threaten Rockstar Games Over Grand Theft Auto VI Data Breach

Apr 14, 2026

CISA Warns of Actively Exploited Magento Plugin Flaw Enabling Remote Code Execution

Jun 6, 2026