Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
@hashicorp/platform-tools
Advanced tools
@hashicorp/platform-tools
A collection of tools and utilities for use throughout our projects.
@hashicorp/platform-tools
A collection of tools and utilities intended for use throughout our applications. Also includes an out-of-the-box script runner which can execute arbitrary TypeScript scripts. This is useful for writing local scripts without introducing ts-node and additional configuration. Things that might live here:
- One-off scripts needed for use across applications
- Codemods
Installation & Usage
npm install @hashicorp/platform-tools
Once installed, the runner can be used to execute a packaged script, or an arbitrary script in your current working directory. Running script without any arguments will return a list of the packaged scripts:
$ npx hc-tools
Expected a script name to be passed, available scripts:
- add-deploy-preview-script
Additional arguments beyond the script name will be passed to the executed script:
$ npx hc-tools add-deploy-preview-script waypoint
# Executes the add-deploy-preview script with the argument "waypoint"
Local scripts
hc-tools can be used to run scripts defined locally in your project, for example:
$ hc-tools ./scripts/my-script.ts
As part of this, hc-tools will also load environment variables defined in .env using the same loading strategy as Next.js.
Options
--project [path to tsconfig]- If specified, loads the tsconfig from the specified path--resolve-paths [true|false]- Controls whether or not to resolve paths based on local tsconfig settings (default:true)
Included scripts
add-deploy-preview-script
$ hc-tools add-deploy-preview-script <product>
Adds a shell script in ./scripts/website-build.sh, which is used to build deploy previews from hashicorp/dev-portal within a product repository so contributors can continue to preview their docs changes.
next-build-webpack-only
$ hc-tools next-build-webpack-only
Executes next build and short-circuits the process before static generation occurs. Helpful for more performant builds if all we care about is the compilation output (for bundle analysis, for example).
capture-build-metrics
$ hc-tools capture-build-metrics <appName>
Captures the build metrics emitted by Next during the build process and sends them to Datadog. appName should be the name of the repo.
FAQs
A collection of tools and utilities for use throughout our projects.
The npm package @hashicorp/platform-tools receives a total of 56 weekly downloads. As such, @hashicorp/platform-tools popularity was classified as not popular.
We found that @hashicorp/platform-tools demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 33 open source maintainers collaborating on the project.
Package last updated on 18 Dec 2023
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025