tlder@devnpm v12 Ships This Month, Blocking Install Scripts by Default
tlder@dev:~$
Security/Supply Chain

npm v12 Ships This Month, Blocking Install Scripts by Default

  • Shipped
  • Action required
  • Breaking change
  • High importance

Finally. npm v12 is the package manager's most significant security redesign in 16 years, and it's shipping this month. Install scripts — the mechanism that let every package in a dependency tree execute arbitrary shell commands during `npm install` — are now blocked by default, along with Git dependencies and remote sources. Any package that relied on a postinstall or preinstall hook will fail until explicitly permitted. The change is a direct response to a cascade of 2026 supply chain attacks attributed to North Korean threat actors (Sapphire Sleet / BlueNoroff). The Axios maintainer account was compromised in March, putting malicious code in front of ~100M weekly downloads. Days later, 140+ Mastra AI packages were poisoned in under 20 minutes. May brought three simultaneous malicious versions of node-ipc (10M+ weekly downloads). June saw 32 packages under the @redhat-cloud-services namespace hit. The pattern was consistent: it was never a vulnerability in npm itself, just the trusted-by-default execution of install scripts. If your project or any of its transitive dependencies uses install scripts, `npm install` will break on v12. Audit your dependency tree now — `npm install --ignore-scripts` is a useful canary. Packages that genuinely need post-install steps will need an explicit opt-in, and you should expect some upstream maintainers to be slow to adapt.