Severity
High
Description
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Suggestion
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Packages with this alert
Loads environment variables from .env file
Loads environment variables from .env file
Lib providing cryptographic functions
An npm package demonstrating how packages can steal your data (but not actually doing so!)
siq client-side infrastructure