Npm Install Scripts Monitor

Detected: 17 Mar 2025
Detected Date: 17 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The script checks the version of the package and, if it is set to '0.0.0', it compiles and executes another script using execa, allowing for dynamic command execution. This can potentially be exploited to run arbitrary code if an attacker can manipulate the version in package.json or the contents of the 'build.ts' or 'localinstall.js' scripts, leading to unauthorized actions on the system.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 17 Mar 2025
Detected Date: 17 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code contains a mechanism to execute a script from a local path and dynamically build and run a local install script when a specific version condition is met. This presents a risk as it downloads and runs scripts that could potentially be malicious, especially in a scenario where the postinstall.js can be altered. Furthermore, if the code is run in an environment where arbitrary script execution is possible, it can lead to severe security implications, including unauthorized access to system resources or execution of harmful code.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 17 Mar 2025
Detected Date: 17 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code attempts to execute a post-installation script that could potentially be exploited to run arbitrary code on the user's system, particularly due to the conditional compilation of scripts and the use of execa to run commands. If the package version is '0.0.0', it dynamically compiles and runs a build script, leaving room for malicious alterations that could harm the system or extract sensitive information.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 17 Mar 2025
Detected Date: 17 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The script executes a build process and potentially runs another script (localinstall.js) if the package version is '0.0.0'. This behavior can be dangerous because it may allow for executing arbitrary code without user consent, as the script does not properly validate the contents of localinstall.js or provide oversight on what it is executing. If an attacker can manipulate the package, they could insert harmful commands into localinstall.js, leading to arbitrary code execution on the user's machine.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 17 Mar 2025
Detected Date: 17 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code attempts to execute a local installation script and rebuilds the post-installation script if the package version is '0.0.0'. This could potentially lead to executing arbitrary scripts without proper validation, allowing for malicious code to be run if an attacker can influence the content of the scripts or the package's setup process. This poses a risk of compromising the system.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 14 Mar 2025
Detected Date: 14 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

This code contains a mechanism that allows execution of an external script (localinstall.js) and potentially an arbitrary script (postinstall.js) based on the package's version. If the version is set to '0.0.0', it runs a build script which could lead to executing any code contained in that script, representing a risk for running malicious or unintended code on a user's machine.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 14 Mar 2025
Detected Date: 14 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The script executes commands to build and run additional scripts which could potentially include arbitrary code. If a user has a malicious package, it could lead to the execution of harmful code on the user's system, endangering their environment and sensitive data.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 14 Mar 2025
Detected Date: 14 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code attempts to execute potentially unsafe scripts during the installation process, including a build script and a local installation script. If invoked in a development environment, it can run arbitrary commands with elevated privileges through the use of execa.sync, which could lead to executing harmful code or installing unwanted packages without user consent.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 14 Mar 2025
Detected Date: 14 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

This code executes scripts that can potentially download and run other scripts in the context of a user's environment, particularly during the installation phase of a package. It attempts to compile and execute scripts conditionally, but if these scripts are untrusted or can be modified by an attacker, it could lead to unauthorized code execution on the user's machine.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 13 Mar 2025
Detected Date: 13 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code executes the localinstall.js script if the package version is '0.0.0', which suggests it may only run during development. This script execution could lead to modifying local files or potentially download and execute malicious code without user consent. Additionally, the use of execa.sync to run commands can introduce risks if the input is not properly validated, potentially allowing for command injection vulnerabilities.

node scripts/postinstall.js

const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)