
Security News
/Research
Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions
Malicious npm package impersonates Nodemailer and drains wallets by hijacking crypto transactions across multiple blockchains.
my-trusted-package
Advanced tools
my-trusted-package
demonstrates the execution of npm lifecycle scripts during various stages of the npm package lifecycle. It is specifically designed for developers who want to understand and how these lifecycle events are triggered.
This package contains the following npm lifecycle scripts:
preinstall
: Triggered before the package installation begins.
"preinstall": "echo 'Trust preinstalling!' # (Running preinstall script)"
postinstall
: Triggered immediately after the package is installed.
"postinstall": "echo 'Trust Installed!' # (Running postinstall script)"
preuninstall
: Triggered before the package is uninstalled.
"preuninstall": "echo 'Trust preuninstalling!' # (Running preuninstall script)"
postuninstall
: Triggered after the package is uninstalled.
"postuninstall": "echo 'Trust postuninstalling!' # (Running postuninstall script)"
prepare
: Triggered in two scenarios: after the package is installed locally (not through the registry) and before the package is packed and published (e.g., during npm publish
or npm pack
).
"prepare": "echo 'Preparing Trust!' # (Running prepare script)"
npm@7
and above do not foreground output from dependency scripts, so you won't know that they've run unless you use --foreground-scripts
:
npm install --foreground-scripts my-trusted-package
Monitor the console to see the execution of lifecycle scripts and verify they ran.
To ensure that installation scripts do not execute, install the package with scripts disabled using --ignore-scripts
:
# foregrounding for demonstration
npm install --foreground-scripts --ignore-scripts my-trusted-package
As noted by socket.dev, install scripts are a common vector for malware distribution within the npm ecosystem. The majority of malware found in npm packages leverages these scripts, which often execute without thorough vetting by users.
Allowing install scripts to run automatically during npm installations introduces significant security risks. Install scripts execute with the same level of access as the user running the npm install command, which can lead to several severe security threats, including:
To effectively manage security risks associated with npm install scripts, you can employ the following technical configurations:
--ignore-scripts
: This command-line option prevents npm from executing any scripts defined in the package's package.json
file during the installation process.
npm install some-package --ignore-scripts
.npmrc
file to consistently prevent the execution of scripts during npm installations. This is done by adding the following line to your .npmrc
file:
ignore-scripts=true
FAQs
it's all good man
The npm package my-trusted-package receives a total of 0 weekly downloads. As such, my-trusted-package popularity was classified as not popular.
We found that my-trusted-package demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
/Research
Malicious npm package impersonates Nodemailer and drains wallets by hijacking crypto transactions across multiple blockchains.
Security News
This episode explores the hard problem of reachability analysis, from static analysis limits to handling dynamic languages and massive dependency trees.
Security News
/Research
Malicious Nx npm versions stole secrets and wallet info using AI CLI tools; Socket’s AI scanner detected the supply chain attack and flagged the malware.