GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
GitHub has announced a security measure to disable npm install scripts by default, targeting supply chain attacks that exploit the automatic execution of arbitrary code during package installation. The change, reported by The Hacker News on June 11, 2026, is designed to prevent malicious packages from running harmful scripts without user consent. By default, npm will no longer execute install scripts, requiring developers to explicitly opt-in for trusted packages. This move addresses a common vector for supply chain attacks, where compromised or malicious packages can execute code on developers' machines or in CI/CD pipelines. The announcement did not specify a timeline for the change or provide details on how developers can whitelist specific packages. The decision follows a series of high-profile supply chain incidents involving npm packages, though the source does not mention any specific attacks. GitHub's action is part of broader industry efforts to secure the software supply chain, but the source does not elaborate on other measures or the expected impact on the npm ecosystem.
Disabling install scripts by default reduces the risk of supply chain attacks via npm packages.