GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

GitHub announced breaking changes for npm version 12 that disable npm install scripts by default. This move targets a persistent supply chain attack vector that exploits npm lifecycle hooks during package installation.

Npm install scripts execute automatically when developers run the "npm install" command. Attackers abuse this mechanism by embedding malicious code in package metadata. When developers pull dependencies into their projects, the lifecycle hooks trigger without explicit user action, executing attacker-controlled commands.

The attack chain works like this. A threat actor publishes a malicious npm package or compromises an existing one. They embed code in the postinstall or preinstall lifecycle hooks. A developer installs the package as a dependency. The hooks execute silently during installation, giving the attacker code execution in the developer's environment and potentially compromising the entire application.

This attack pattern gained prominence after several high-profile incidents. The "event-stream" package compromise in 2018 used exactly this technique to steal cryptocurrency. More recent campaigns have injected malware into popular packages targeting developers across industries.

Disabling install scripts by default significantly reduces the attack surface. Developers who need scripts for specific packages can explicitly enable them using the "--force-scripts" flag or configure exceptions for trusted packages. This opt-in approach replaces the previous implicit trust model.

The breaking change requires developers to consciously enable script execution. While some legitimate packages rely on install scripts for compilation or setup tasks, the security tradeoff favors defense. Organizations can still configure their npm environments to permit scripts from vetted packages through local policy.

This change reflects broader industry shifts toward supply chain security. Other package managers and registries have adopted similar restrictions. The npm ecosystem faces constant pressure from attackers targeting the development pipeline since compromised dependencies reach downstream consumers at massive scale.

GitHub's change arrives as supply chain attacks remain a top threat vector. The move forces developers to consider each package's legitim