When installing dependencies, some package managers will automatically execute scripts distributed along with the source code of packages. Post-install scripts, for example, are a common way to execute malicious code at install time whenever a package is compromised.
When package managers execute installation scripts, they run arbitrary code distributed with third-party packages. A compromised package can use this mechanism to execute malicious code on the build system, potentially stealing credentials, injecting backdoors, or otherwise compromising the supply chain.
If a dependency is compromised and its scripts are executed, an attacker can run arbitrary code with the permissions of the process performing the installation. This can lead to credential theft from the build environment, introduction of backdoors into the application, or lateral movement within CI/CD infrastructure.
steps: - run: npm install # Noncompliant
steps: - run: npm install --ignore-scripts
steps: - run: yarn install # Noncompliant
steps:
- run: |
yarn install --ignore-scripts
# for yarn 2.x and later
YARN_ENABLE_SCRIPTS=false yarn install
In versions prior to v10, pnpm runs lifecycle scripts by default. Starting from pnpm v10, lifecycle scripts are blocked by default,
making pnpm install safe without additional flags. Adding packages to onlyBuiltDependencies in
pnpm-workspace.yaml explicitly opts them in to script execution and should be avoided for unaudited packages.
steps: - run: pnpm install # Noncompliant (pnpm < v10)
steps: - run: pnpm install --ignore-scripts
Bun blocks lifecycle scripts by default for most packages (opt-in model), but still executes them for a built-in list of popular npm packages.
steps: - run: bun install # Noncompliant
steps: - run: bun install --ignore-scripts