Skip to content
Innovation & Growth

npm v12 Will Disable Install Scripts by Default. The Single Biggest Supply Chain Defense Ever Shipped for JavaScript.

Arriving July 2026, npm v12 kills the attack vector behind Miasma, Shai-Hulud, Atomic Arch, and every preinstall-hook worm of the last decade. Dependencies will no longer execute code during installation unless explicitly allowed. Three breaking changes. One architectural decision. The npm supply chain era may be ending.

· 6 min read
Share on X LinkedIn
npm v12 Will Disable Install Scripts by Default. The Single Biggest Supply Chain Defense Ever Shipped for JavaScript.

The Default That Changes Everything

GitHub announced that npm v12 — arriving July 2026 — will disable dependency install scripts by default. preinstall, install, and postinstall scripts from packages in your dependency tree will not execute unless you explicitly opt in. This single default change eliminates the primary attack vector used by every major npm supply chain attack of the last decade: the preinstall hook that downloads and executes a malicious payload the moment you run npm install.

Three breaking changes ship together. First: no automatic script execution from dependencies. Second: no automatic Git dependency resolution, closing a path where malicious .npmrc files could override the Git executable. Third: no automatic remote URL dependencies, blocking HTTPS tarballs unless explicitly allowed. Each change removes implicit trust. Together, they transform npm from 'trust everything by default' to 'trust nothing unless explicitly authorized.'

Install scripts OFF by default
Change
preinstall/install/postinstall from dependencies will not run. Source: GitHub Blog, June 9, 2026.
npm v12, July 2026
Arrival
Developers should upgrade to npm 11.16.0+ now for deprecation warnings. Source: GitHub Changelog.
Miasma, Shai-Hulud, Atomic Arch, IronWorm
Attacks this prevents
All used preinstall hooks as entry vector. Source: WebPulse analysis.

What This Kills

The Miasma worm compromised 32 @redhat-cloud-services npm packages and self-propagated using preinstall hooks. The Shai-Hulud campaign poisoned 170+ packages across npm and PyPI using the same mechanism. The Atomic Arch attack adopted orphaned AUR packages that fetched malicious npm packages via install hooks. IronWorm used Rust-compiled binaries delivered through npm postinstall scripts. Every one of these attacks — 497 malicious packages in the first half of 2026 alone — would fail against npm v12's default configuration.

The preinstall hook was originally designed for legitimate use: compiling native modules, downloading platform-specific binaries, running database migrations during development setup. These legitimate uses will still work — developers can explicitly allow script execution for packages they trust. But the default changes from 'all scripts run automatically' to 'no scripts run unless you said so.' The attacker must now convince you to opt in, not just convince you to install.

The Ecosystem Impact

Some packages genuinely need install scripts. node-gyp compiles C++ addons. sharp downloads platform-specific image processing binaries. sqlite3 builds native database bindings. These packages will require developers to explicitly allow their install scripts — a minor friction that dramatically reduces attack surface. The npm team estimates that fewer than 5% of packages use install scripts for legitimate purposes. The other 95% never needed them and never ran them. But any of those 95% could have been compromised to add a malicious postinstall hook, and it would have executed silently.

For web framework ecosystems, this is a structural advantage for frameworks with fewer native dependencies. Astro, Vite, and Next.js installations will work identically with npm v12 — their dependency trees are JavaScript-only. WordPress's npm toolchain (for Gutenberg block development) relies on several packages with install scripts. Django and FastAPI have no npm dependency tree at all. The framework that minimizes native compilation in its install path is the framework that benefits most from npm v12's new default.

Why It Took Until 2026

npm could have disabled install scripts years ago. The security argument was always clear. The resistance was ecosystem compatibility: too many packages relied on install scripts for legitimate purposes, and breaking them would fragment the ecosystem. What changed in 2026 is that the cost of the current default exceeded the cost of breaking compatibility. 497 malicious packages in six months. The Miasma worm compromising Red Hat's official packages. OpenAI confirming employee devices affected. The supply chain attack volume made the status quo untenable.

This pattern — security defaults changing only after catastrophic attacks force the issue — is consistent across the web ecosystem. HTTPS became the default after years of advocacy and the Let's Encrypt campaign. SameSite cookies became the default after years of CSRF attacks. npm install scripts are being disabled after years of supply chain compromise. Each change was obvious in retrospect, controversial in prospect, and overdue by the time it shipped. The question is what other obvious-in-retrospect defaults the web is still running with. WebPulse's framework analysis suggests several: WordPress's auto-update-off default, PHP's implicit type coercion, and npm's flat dependency tree that allows dependency confusion.

Share this insight