Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
npm 12 Enhances Security by Disabling Install Scripts

npm 12 Enhances Security by Disabling Install Scripts

Posted on July 9, 2026 By CWS

GitHub has rolled out npm version 12, introducing a significant security enhancement by disabling install scripts by default. This change aims to mitigate supply chain threats often associated with automated script execution during package installations.

Key Changes in npm 12

In a bid to bolster security, the new npm version alters several default behaviors that previously permitted automatic script execution. Now, the allowScripts setting is turned off by default, preventing the automatic execution of dependency lifecycle scripts such as preinstall, install, and postinstall. Additionally, npm’s handling of Git and remote URL dependencies has been tightened. The new default settings require explicit user permission for these dependencies to be resolved, making the process opt-in rather than automatic.

To manage and approve scripts deemed trustworthy, users must now execute the command npm approve-scripts –allow-scripts-pending. This creates an allowlist in the package.json file, ensuring that only verified scripts are run.

Impact on Granular Access Tokens and 2FA

Furthermore, npm 12 introduces changes affecting Granular Access Tokens (GATs), especially those used to bypass two-factor authentication. From August 2026, these tokens will lose the ability to perform sensitive actions such as account management and package configuration. GitHub advises developers to avoid using such tokens for critical operations and instead rely on interactive 2FA methods.

By January 2027, GATs will no longer support direct publishing. Instead, they will be limited to reading and staging packages, awaiting human 2FA approval for public release. This shift encourages a move toward more secure publishing practices, such as trusted or staged publishing.

pnpm’s Security Update

In related developments, pnpm version 11.10 now supports a new authentication configuration. The _auth setting allows credentials to be paired with their corresponding host as a single structured value. This change enhances security by ensuring that credentials are only retrieved from secure sources like the environment or global configuration, reducing the risk of token misuse from tampered project files.

The implementation of these security measures underscores the ongoing efforts to fortify software development environments against potential cyber threats. Developers are encouraged to adopt these updates promptly to safeguard their projects and maintain the integrity of the supply chain.

The Hacker News Tags:2FA, Cybersecurity, development tools, DevSecOps, Git dependencies, GitHub, install scripts, NPM, pnpm, remote URLs, software development, supply chain security, Tokens, trusted publishing

Post navigation

Previous Post: Maximizing Threat Intelligence for Effective SOC Operations
Next Post: AssuranceAmerica Data Breach Affects Millions’ Personal Data

Related Posts

Researchers Reveal Reprompt Attack Allowing Single-Click Data Exfiltration From Microsoft Copilot Researchers Reveal Reprompt Attack Allowing Single-Click Data Exfiltration From Microsoft Copilot The Hacker News
The CTEM Conversation We All Need The CTEM Conversation We All Need The Hacker News
The New JavaScript Injection Playbook The New JavaScript Injection Playbook The Hacker News
New Oracle E-Business Suite Bug Could Let Hackers Access Data Without Login New Oracle E-Business Suite Bug Could Let Hackers Access Data Without Login The Hacker News
Mustang Panda Exploits Cloud Service in Indian Cyber Attacks Mustang Panda Exploits Cloud Service in Indian Cyber Attacks The Hacker News
Cyber Criminals Exploit Open-Source Tools to Compromise Financial Institutions Across Africa Cyber Criminals Exploit Open-Source Tools to Compromise Financial Institutions Across Africa The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts
  • Maximizing Threat Intelligence for Effective SOC Operations
  • Palo Alto Networks Fixes Critical Security Flaws
  • Windows Update Installs LG App with McAfee Ads

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts
  • Maximizing Threat Intelligence for Effective SOC Operations
  • Palo Alto Networks Fixes Critical Security Flaws
  • Windows Update Installs LG App with McAfee Ads

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark