Ethical Hacking News
GitHub has recently announced its decision to pull the pin on npm's auto-run scripts as part of an effort to improve the security of the npm ecosystem. The new updates will ensure that scripts run only when explicitly permitted, reducing the attack surface and protecting against malicious packages like the notorious Shai-Hulud worm.
Github announces that it will disable auto-run scripts in npm by default. The decision is aimed at improving the security of the npm ecosystem by reducing the attack surface. Auto-run scripts will no longer run unless explicitly permitted via allow-scripts. The --allow-git flag will default to off, and allow-remote will default to none. Developers need to take proactive steps to protect themselves from malicious scripts.
GitHub, the world's largest web-based platform for version control and collaboration of software development projects, has recently announced its decision to pull the pin on npm's (Node Package Manager) auto-run scripts. This move is aimed at improving the security of the npm ecosystem by reducing the attack surface. The decision comes after a malicious package, known as Shai-Hulud worm, exploited this feature, compromising numerous repositories and causing widespread damage.
The new changes to the npm defaults will ensure that scripts configured for preinstall, install, or postinstall do not run unless explicitly permitted via allow-scripts. Furthermore, the --allow-git flag, which pulls dependencies from remote URLs, will default to off, closing an attack path where a malicious .npmrc file could override the Git executable and achieve arbitrary code execution. Finally, allow-remote will default to none, blocking dependency downloads from remote URLs entirely.
Although these changes are designed to improve security, they also pose a challenge for developers who rely on scripts for their projects. According to Leo Balter, the maintainer responsible for this change, "Install-time lifecycle scripts are the single largest code-execution surface in the npm ecosystem." This highlights the importance of security measures in place and the need for developers to take proactive steps to protect themselves.
To mitigate these risks, developers are advised to run commands to allow scripts for every currently installed package in a project that requires them. The next step is to review packages and deny scripts for those where they are not needed. Some packages require script approval to function, including native modules, testing tools like Playwright and Puppeteer, and Electron.
It's worth noting that these changes are breaking news for developers, as the features have been available since npm version 11.10.0 but were only opt-in flags rather than defaults. Moreover, some argue that using alternative package managers like pnpm or Yarn Berry could be a safer option due to their existing safety measures, including minimum release ages.
In conclusion, GitHub's decision to disable auto-run scripts in npm is a significant step towards improving the security of the npm ecosystem. While it may pose challenges for developers, these changes are long overdue and aim to protect users from malicious packages and scripts.
Related Information:
https://www.ethicalhackingnews.com/articles/GITHUBS-SHOCKING-DECISION-NPM-AUTO-RUN-SCRIPTS-TO-BE-DISABLED-IN-FUTURE-UPDATES-ehn.shtml
https://www.theregister.com/devops/2026/06/10/github-pulls-pin-on-npms-auto-run-scripts/5253453
Published: Wed Jun 10 21:56:54 2026 by llama3.2 3B Q4_K_M
