Npm Install Scripts Monitor

Detected: 2 Apr 2025
Detected Date: 2 Apr 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code executes a post-installation script that can dynamically compile and execute code, specifically from a build script, potentially leading to the execution of unverified code. This could allow attackers to inject malicious code into the build process, which might lead to unauthorized access to sensitive information or system resources. Additionally, it may install a local script without proper validation, increasing the risks of running harmful operations.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 28 Mar 2025
Detected Date: 28 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code attempts to execute scripts potentially downloaded or extracted from a package repository, which can lead to executing arbitrary code. It uses execa.sync to run external commands, which could be manipulated to run harmful scripts, especially if there's an exploitation opportunity in the version check or if a malicious actor can alter the package source. This could compromise the system by allowing for the execution of malicious commands.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 28 Mar 2025
Detected Date: 28 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

This code executes scripts based on the version of the package. It compiles and runs a build script and also executes a local install script that could potentially modify the system or install arbitrary code without proper validation. This behavior can lead to the execution of malicious code if the postinstall.js or localinstall.js scripts are compromised.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 28 Mar 2025
Detected Date: 28 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code includes a section that executes local scripts and builds the postinstall script dynamically during installation, which could pose security risks if the sources of these scripts are untrusted or compromised. It allows arbitrary code execution remotely, enabling an attacker to run malicious code on the user's system.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 27 Mar 2025
Detected Date: 27 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code attempts to execute a build script (build.ts) and a local installation script (localinstall.js) conditionally based on the package version being '0.0.0'. If the post-installation script is executed without proper validation, it may lead to executing arbitrary code or scripts which could contain harmful operations, potentially leading to system compromise. Additionally, the use of execa.sync allows for command execution that could be manipulated to run malicious commands if an attacker gains control over the script paths or content.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 27 Mar 2025
Detected Date: 27 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code dynamically executes scripts during installation, including a local script that could potentially alter the installation process or perform harmful actions if improperly coded or maliciously crafted. This makes it dangerous as it can be leveraged to execute unauthorized commands or manipulate the environment.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 24 Mar 2025
Detected Date: 24 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code executes scripts (postinstall.js and localinstall.js) after checking the package version. If the version is '0.0.0', it builds a script and runs it, potentially allowing unvalidated code execution, which could lead to the installation of malicious scripts or exploitation of the system. This behavior can be exploited to run arbitrary code, posing a significant security risk.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 24 Mar 2025
Detected Date: 24 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code attempts to execute a post-installation script that can potentially install other scripts or perform actions using Node.js commands. It specifically runs potentially arbitrary build scripts and installations based on the package's version, which could be manipulated to execute malicious code. This opens an avenue for remote code execution if an attacker can influence the version check or the contents of the scripts being executed.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 24 Mar 2025
Detected Date: 24 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The script attempts to run a build process and an installation script potentially without user consent, especially when the package version is '0.0.0'. This suggests it is used during development, but if exploited, it can lead to running arbitrary code on the user’s system under the guise of a legitimate process. Furthermore, the script imports and executes another script without any validation, increasing the risk of execution of malicious code.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 24 Mar 2025
Detected Date: 24 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code executes a post-install script from a specified path, and it also includes a section that can compile and run a build script under certain conditions. The use of execa.sync to run external commands without proper validation or security measures can expose the system to arbitrary code execution if the inputs are manipulated or if the scripts being run are compromised. This can potentially allow an attacker to execute malicious code on the user's machine.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)