logo

npm v12 blocks install scripts: What it means for software security

ID: 68151d47-0e91-54dc-8d35-3c83923705fd

STIX ID: report--68151d47-0e91-54dc-8d35-3c83923705fd

Feed Name: ReversingLabs Blog

Threat Score
70/100

Date Published: 2026-06-16

Date Updated: 2026-06-16

Author: John P. Mello Jr.

...
...

The report explains that npm v12 will stop executing dependency install-time scripts by default to block widespread supply-chain worms that exploited preinstall/postinstall hooks. Industry experts welcome the change as a major hardening step but warn it may break legitimate workflows, cause approval fatigue, and won’t eliminate other supply-chain attack vectors such as runtime malware, maintainer account takeovers, or CI/trusted-publishing abuses.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.