Install Scripts
The install scripts rule flags packages that include lifecycle scripts -- code that runs automatically during package installation before you have written a single line of code that uses the package.
What it detects
The rule checks for the following lifecycle scripts in a package's package.json:
| Script | When it runs |
|---|---|
preinstall | Before the package is installed |
install | During package installation |
postinstall | After the package is installed |
prepare | After the package is installed (also runs on npm pack and npm publish) |
If any version of a package defines one of these scripts, that version is flagged.
How it works
- For each version in the packument, the rule reads the
scriptsfield from the version metadata - If any of the four dangerous script names (
preinstall,install,postinstall,prepare) are present, the version is flagged - In block mode, flagged versions are stripped from the packument. In warn mode, the install proceeds normally but a warning is logged
Configuration
| Setting | Value |
|---|---|
| Default level (Free) | off |
| Default level (Pro) | warn |
| Parameters | none |
Why install scripts are dangerous
Lifecycle scripts execute with the full permissions of the user running npm install. A malicious install script can:
- Exfiltrate secrets -- Read environment variables,
.npmrctokens, SSH keys, and cloud credentials - Install backdoors -- Download and execute arbitrary binaries
- Modify files -- Overwrite source code, inject code into other packages
- Spread laterally -- Steal npm tokens and publish malicious versions of packages you maintain
The attack is especially effective because:
- Scripts run before any code review happens
- Scripts run in CI/CD pipelines with access to deployment credentials
- Developers rarely audit lifecycle scripts of transitive dependencies
Real-world examples
This rule would have caught:
- eslint-config-prettier (2025) -- Phishing attack led to a malicious version with a postinstall script executing a trojan DLL on Windows
- node-ipc (2022) -- Protestware that used an install script to detect IP addresses and overwrite the filesystem
Limitations
- Many legitimate packages use install scripts for native compilation (
node-gyp), binary downloads, or setup tasks. Setting this rule to block will prevent these packages from installing. - The rule checks the
scriptsfield as declared inpackage.json. It does not analyze what the script actually does. - The
preparescript is included because it runs during install, but it is also commonly used by legitimate packages for build steps.
Recommended setting
Warn for most teams. Install scripts are common in legitimate packages (native addons, binary packages), so blocking all of them would be disruptive. Logging them gives your security team visibility into which packages execute code during installation.
Teams with strict security requirements can set this to block and maintain an allowlist of packages with known-safe install scripts by adding those packages to their lockfile before enabling the rule.