When installing dependencies, some package managers will automatically execute scripts distributed along with the source code of packages. Post-install scripts, for example, are a common way to execute malicious code at install time whenever a package is compromised.
When package managers execute installation scripts, they run arbitrary code distributed with third-party packages. A compromised package can use this mechanism to execute malicious code on the build system, potentially stealing credentials, injecting backdoors, or otherwise compromising the supply chain.
If a dependency is compromised and its scripts are executed, an attacker can run arbitrary code with the permissions of the process performing the installation. This can lead to credential theft from the build environment, introduction of backdoors into the application, or lateral movement within CI/CD infrastructure.
FROM node:latest RUN npm install # Noncompliant
FROM node:latest RUN npm install --ignore-scripts
FROM node:latest RUN yarn install # Noncompliant
FROM node:latest RUN yarn install --ignore-scripts # for yarn 2.x and later RUN YARN_ENABLE_SCRIPTS=false yarn install
In versions prior to v10, pnpm runs lifecycle scripts by default. Starting from pnpm v10, lifecycle scripts are blocked by default,
making pnpm install safe without additional flags. Adding packages to onlyBuiltDependencies in
pnpm-workspace.yaml explicitly opts them in to script execution and should be avoided for unaudited packages.
FROM node:latest # pnpm < v10: scripts run by default RUN pnpm install # Noncompliant
FROM node:latest RUN pnpm install --ignore-scripts
Bun blocks lifecycle scripts by default for most packages (opt-in model), but still executes them for a built-in list of popular npm packages.
FROM node:latest RUN bun install # Noncompliant
FROM node:latest RUN bun install --ignore-scripts