GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking supply-chain attacks abusing behaviors triggered by the 'npm install' command.
“These npm attacks are targeting the pre-install phase of software dependencies, so typical software supply chain security methods of code scanning cannot address these types of attacks,” Marks said.