Packages published on npm can declare pre and post-install hooks, which are scripts that run, well, pre or post-install. That is to say, when the npm CLI installs a package, it also runs those scripts on your machine. By Gabi Dobocan.
It runs them silently, in the background. Sounds like a bad idea? It kinda is.
In practice, these scripts can be very useful for automating tasks that need to be done every time a package is installed or updated. They can help ensure that the package is installed correctly and that any necessary setup or configuration tasks are completed automatically.
The article then delves into:
- How can install scripts hurt you
- Packages can silently leak your private data
- Packages can remotely run scripts for full access to your machine and data
- Any
npm install
comes with a risk
While researching this article, it was easy to identify many packages that have declared malicious install scripts directly in their package.json manifest. However, that is a naive approach, and most malware does a much better job of hiding and obfuscating sensitive code. Around 700k package versions in the npm registry currently declare install scripts, and could thus execute code that compromises the security of your dev machine, or your CI build. More are added every day. Very interesting!
[Read More]