Risky Business Features Podcast
June 12, 2026
Why NPM v12 won’t stop supply chain attacks
Presented by
James Wilson
Technology Editor
In this podcast episode, James Wilson is joined by Open Source Malware Security co-founder Paul McCarty to talk about the supply chain attack mitigations coming in NPM v12.
NPM disabling (by default) auto-run install scripts and dynamic dependencies is a positive step forward… but it’ll take years for this new version to be adopted, and these changes do nothing to prevent malicious packages being imported into projects.
Further, Paul thinks disabling these features by default will introduce friction that will cause them to be re-enabled. When the choice is “this builds” and “this is less prone to malware”, the former will always win.
Why NPM v12 won’t stop supply chain attacks
0:00 /
38:32
