🟡 Medium | Source: The Hacker News
npm version 12 has been released with install scripts disabled by default, meaning packages can no longer automatically execute arbitrary code during installation without explicit opt-in. GitHub is also deprecating granular access tokens that could be used to circumvent two-factor authentication. These changes directly reduce the attack surface for supply chain attacks via malicious npm packages.
Security Architect’s Take: Review your CI/CD pipelines and developer workstation tooling for any reliance on automatic install scripts — you will need to explicitly enable allowScripts for legitimate use cases. Audit existing npm tokens and rotate any granular access tokens (GATs) ahead of their deprecation, ensuring all service accounts use 2FA-compliant authentication.
Original advisory: npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk