Why NPM v12 won’t stop supply chain attacks

Why NPM v12 won’t stop supply chain attacks

From Risky Business Features by Risky Business Media

June 12, 2026 · 39 min

About this episode

The episode discusses the mitigations against supply chain attacks in NPM v12 and the challenges of adoption and effectiveness.

In this podcast episode, James Wilson is joined by Open Source Malware Security co-founder Paul McCarty to talk about the supply chain attack mitigations coming in NPM v12. NPM disabling (by default) auto-run install scripts and dynamic dependencies is a positive step forward… but it’ll take years for this new version to be adopted, and these changes do nothing to prevent malicious packages being imported into projects. Further, Paul thinks disabling these features by default will introduce friction that will cause them to be re-enabled. When the choice is “this builds” and “this is less prone to malware”, the former will always win.

People in this episode

Host: James Wilson

Guest: Paul McCarty

Topics covered

  • supply chain attacks
  • NPM v12
  • malware security
  • open source
  • software dependencies

Keywords

  • NPM
  • supply chain
  • malware
  • open source
  • security
  • dependencies
  • install scripts

Mentioned in this episode

Organizations: Open Source Malware Security

Products: NPM v12

More episodes of Risky Business Features

Explore listener stats, chart rankings, contacts and more on the Risky Business Features podcast page.