‼️ npm v12 is about to disrupt 53% of the malicious npm packages we analyzed from the past year ‼️ Starting July 2026, npm will block by default: ❌ Lifecycle scripts (preinstall, postinstall, etc.) during installation ❌ Git-based dependency resolution during installation ❌ Remote URL dependency resolution during installation These techniques were abused in SSC malware campaigns including Shai-Hulud, easy-day-js, and PhantomRaven, affecting hundreds of packages and reaching millions of downloads. This is one of the biggest security changes to the npm ecosystem in years, so get ready to update. Where attackers may pivot next, and the full impact of these changes: jfrog.com/blog/npm-v12-from-…

终于等到了 allowScripts defaults to off: npm install will no longer execute preinstall, install, or postinstallscripts from dependencies unless they are explicitly allowed in your project. This includes native node-gyp builds (i.e., a package with a binding.gyp and no explicit install script still gets blocked, because npm runs an implicit node-gyp rebuild for it). prepare scripts from git, file, and link dependencies are blocked the same way. To see what would be blocked, run npm approve-scripts --allow-scripts-pending. Then allow the packages you trust with npm approve-scripts and block the rest with npm deny-scripts. The resulting allowlist is written to package.json and should be committed. If your install routine runs scripts, you can observe warnings in npm 11.16.0 .

npm v12 is coming in July 2026, and it's a big one for supply chain security npm install will no longer auto-run by default: → Lifecycle scripts (preinstall/install/postinstall) → Git dependencies → Remote URL tarballs github.blog/changelog/2026-0…

Tip 1: turn off install scripts Add this to your .npmrc: ignore-scripts=true preinstall and postinstall are exactly how the 2025 npm worms (Shai-Hulud) stole tokens and spread themselves. No scripts means a malicious dep cant execute at install time.

Debian actually has an initiative to slowly remove postinstall and preinstall scripts from their packages, and later from dpkg. I don't think they're very sure about actually doing this, the wiki feels kinda undecided about this

More DPRK packages, clearly targeting developers by package name. What's interesting here is the dropper isn't in index.js like the others. This one pulls from a gist, and inside that gist is the same dropper I've mentioned in other posts. They then pull in the malicious package as a require. So the other packages don't appear malicious on their own, they're doing normal things and just pulling in the malicious one. This is interesting. This is something I think is expected as the crackdown on lifecycle hooks begins with npm v12. With allowScripts defaulting off, preinstall/postinstall won't fire on their own anymore, so it makes sense to move execution into the require chain instead. One malicious package, then require it in the others. It runs when the code actually gets used instead of at install. Worth watching if this becomes the usual pattern once v12 ships in July.

We simply refurbish old PC and preinstall StartOS DIY on them. Parman goes many extra steps by creating his own StartOS alternative. Respect.

Xbox got all the metrics and have been shaking the pennies out of xbox trying to keep it alive, if gamepass was failing, they would've already cut it instead of doubling down. You can already preinstall Fable and Gears with gamepass.

What's that got to do with the fact you can preinstall on xbox? I don't give a shit about pc

npm v12 kills auto-run install scripts by default. Shai-Hulud worm abused preinstall hooks to infect devs. Now npm install no longer runs strangers' code silently, explicit approval required from July. Audit your pipelines before it bites prod. 🐛 #DevOps theregister.com/devops/2026/…

Maybe just learn how to programm software and a decent ecosystem instead of this dunghil you call node and npm, with its crappy node_module shit where there quadrillion packages for the most basic functions and shitware that runs preinstall hooks on package restore/install maybe?

[Microsoft Security] - Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign via microsoft.com/en-us/security… - 🦾 #Microsoft #Cybersecurity

Eyes up, gordos Arch: There's an ongoing large-scale attack on the Arch Linux AUR right now (called "Atomic Arch"). Attackers are mass-adopting orphaned packages and injecting malicious post-install hooks. This is not isolated — hundreds of packages have already been compromised. How the attack works: 1. They take over abandoned/orphaned AUR packages 2. They add a 'post_install()' hook (either in the PKGBUILD or a separate '.install' file) 3. The hook runs either: - 'npm install atomic-lockfile minimist ...' (first wave) - or 'bun add minimist nextfile-js' / 'js-digest' (current wave) 'minimist' is a real package being used as camouflage. The real malicious packages ('atomic-lockfile', 'nextfile-js', 'js-digest', 'lockfile-js') contain malicious 'preinstall'/'postinstall' scripts. Once installed, they deploy a credential stealer that targets: - Browser data - SSH keys - GitHub tokens - etc. On systems where the package was installed as root, it can also drop an eBPF rootkit to hide its presence. What you should do right now: - Do NOT install or update AUR packages without manually reviewing the full 'PKGBUILD' any '.install' files - Be very suspicious of packages that were recently adopted after being orphaned - If you installed anything from the AUR after ~June 11, audit your system There are already community detection scripts for this campaign. Search for “atomic-lockfile” or “nextfile-js” detection.

AKU KIRA MSH MINGDEP 😭 OTEWE PREINSTALL

IYAAAA BB AYOK PREINSTALL! 🤤🤤🤤

HAH DEMI? AKU BLM PREINSTALL BJIR😭😭😭😭😭😭😭😭😭😭😭