Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

Install scripts

Severity

Medium

Short Description

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages

View packages with this alert.

Suggestion

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Information

Install scripts are executed automatically when a package is installed, making them a potential vector for security risks. While some install scripts are necessary for setting up a package, many can be avoided or replaced with safer alternatives. Overuse or misuse of install scripts can lead to significant security vulnerabilities, as they can run arbitrary code on a user’s system during installation.

Why Install Scripts are a Concern

  1. Security Risks:
    • Install scripts can execute arbitrary code, which may include malicious actions such as data theft, unauthorized access, or system compromise.
    • Attackers often hide malware in install scripts, making them a frequent target for supply chain attacks.
  2. Non-Essential Actions:
    • Non-essential scripts should not run during installation, as they can increase the attack surface and introduce unnecessary risks.
    • Many actions performed by install scripts can be deferred until publish time, reducing the need for such scripts during installation.
  3. Package Integrity:
    • Excessive use of install scripts can compromise the integrity and trustworthiness of a package.
    • Users may be less inclined to adopt packages with install scripts due to the associated risks.

Recommended actions

Packages should avoid running non-essential scripts during installation. There are often alternative solutions to the problems solved by install scripts, such as executing necessary actions at publish time instead. This reduces the attack surface and limits the risk of malicious code being executed.

Evaluate Necessity:

  • Review the install script to determine if it is necessary for the package's functionality.
  • Consider alternatives that do not require the script to run during installation.

Minimize Risk:

  • If the install script is essential, ensure it is well-audited and secure.
  • Limit the script's actions to only what is necessary, avoiding any non-essential code execution.

Notify Your Team:

  • Inform your team about the presence of install scripts and the associated risks.
  • Document any decisions made regarding the use of install scripts in your project.

Examples

Package: Example Package 100x-client

  • Issue: Contains an install script that runs non-essential actions during installation.
  • Action: Evaluate the necessity of the install script and consider deferring actions to publish time.

Detection Method

Socket’s threat detection system flags packages with install scripts by analyzing the code for patterns associated with install scripts. This includes detecting the use of certain functions, file operations, and network requests that are commonly found in install scripts.

Additional resources

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc