npm v12 disables install lifecycle scripts by default (July 2026)

GitHub announced that npm v12 (expected July 2026) disables dependency lifecycle scripts (preinstall/install/postinstall, including implicit node-gyp builds) by default, requires npm approve-scripts for explicit opt-in, and blocks Git/remote-URL dependencies without --allow-git/--allow-remote (GitHub Changelog, 2026-06-09). This is a structural response to the install-script abuse that powered this spring's npm worm wave (Shai-Hulud/Miasma, IronWorm, TeamPCP — coverage 2026-06-06 through 2026-06-10) and brings npm in line with other package managers that already block install scripts by default (BleepingComputer, 2026-06-11). The warnings are live today in npm ≥ 11.16.0. Defender takeaway: this is a breaking change with a security upside — run npm install under 11.16.0 now to enumerate deprecation warnings, build the script allow-list before v12 ships, and treat any pipeline that must keep scripts enabled wholesale as a finding.

UPDATE (originally covered 2026-W21): Microsoft's Digital Crimes Unit issued a formal public statement on 28–29 May 2026 calling uncoordinated zero-day releases "never justifiable" and warning its DCU would "continue bringing cases against these actors and those that enable their criminal activity" (The Record, 2026-05-29). The pseudonymous researcher Nightmare Eclipse / Chaotic Eclipse responded by threatening a new vulnerability release on 14 July 2026 (the next Patch Tuesday).

Of the six Windows vulnerabilities the researcher has released since early April: BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091) are patched and saw confirmed in-the-wild exploitation following PoC publication. YellowKey (CVE-2026-45585 — BitLocker bypass via Windows Recovery Environment, requiring physical access), GreenPlasma (LPE class), and MiniPlasma remain unpatched as of 30 May 2026. MiniPlasma specifically abuses the Windows Cloud Files Mini Filter Driver (cldflt.sys) to achieve a SYSTEM shell from a standard user session on fully-patched Windows 11; the root cause is assessed as an incomplete remediation of CVE-2020-17103 (no CVE yet assigned to MiniPlasma itself).

The July 14 release deadline should be treated as a hard date for resolving any outstanding Windows LPE chain gaps. Defenders on Windows 11 estates should monitor for cldflt.sys-related anomalies and consider AppLocker/WDAC policies blocking unsigned executables from low-privileged user sessions while patches are pending. Next Patch Tuesday: 10 June 2026.

The KRITIS-DachG (Kritis-Dachgesetz, Germany's critical-infrastructure umbrella act) entered into force; the initial registration deadline of 17 July 2026 is now 61 days away. Operators of critical facilities in scope — including public-administration entities operating infrastructure in the sectors of energy, transport, finance, IT/telecommunications, space-ground infrastructure, and public administration — must register with the Federal Office of Civil Protection and Disaster Assistance (BBK) via an electronic platform jointly operated with the BSI. Registration requires operator name, legal form, commercial register number, address including public IP ranges, sector / industry classification, and critical-facility contact details. Violations constitute an administrative offence punishable by fines up to EUR 500,000. Public-sector IT departments in Germany should verify whether their IT and OT infrastructure qualifies as a "critical facility" under the KRITIS-DachG sector thresholds, register before 17 July 2026 or within three months of later qualification, and identify which services they must report under the act's disruption-reporting obligations to BBK / BSI (24-hour initial notification, 72-hour detailed report). Swiss federal entities with German subsidiaries or cross-border infrastructure should verify German subsidiary obligations (Luther Lawfirm; A&O Shearman).

Germany's KRITIS-DachG (Act to Strengthen Physical Resilience of Critical Installations), implementing EU CER Directive 2022/2557, entered into force in late March 2026 following Bundesrat approval on 6 March 2026 (Luther Lawfirm, 2026-04-10 · Morrison Foerster European Digital Compliance, 2026-05-01). The Act establishes the first cross-sectoral physical and organisational resilience framework covering energy, transport, healthcare, water, finance, and — for the first time — municipal waste disposal and aspects of public administration. Registration deadline 17 July 2026 (or within three months of later qualification). Post-registration obligations cascade over nine–ten months: risk assessments every four years covering natural / technical / sabotage / cross-border scenarios, resilience plans, and 24-hour incident reporting to a joint BSI/BBK reporting point. Fines for non-compliance: up to €100,000 for registration/cooperation failures; up to €1,000,000 for concealing non-registration status; up to €200,000 for missing resilience evidence or plan. Key ambiguity: the BMI implementing ordinance defining which specific services and installations qualify as "critical" is not yet published, leaving scope uncertain for borderline operators. What defenders need to do differently: German public-sector and critical-sector organisations need to self-assess KRITIS-DachG applicability before 17 July; ISG-style 24-hour reporting obligation now applies to physical as well as cyber incidents; Swiss entities with German subsidiaries operating in scope sectors are directly affected. Cross-references NIS2 and BSI Act obligations — the three frameworks overlap operationally and require coordinated incident-response runbook design.