Your npm/pip Install Just Ran Arbitrary Code — And You Didn't Notice

Every time you run npm install or pip install , you're executing code written by strangers on your machine. Not the library code. The install scripts . npm packages can run arbitrary JavaScript during npm install via preinstall , install , and postinstall scripts. pip packages can execute setup.py during installation. Most of the time, this is fine. Sometimes, it's not. Real Attacks (Not Hypothetical) event-stream (2018): A popular npm package (2M weekly downloads) was hijacked. The new maintainer added code that stole cryptocurrency wallet keys. It ran during npm install . ua-parser-js (2021): 7M weekly downloads. Compromised to install crypto miners and credential stealers. ctx + phpass (2022): Python packages on PyPI modified to steal environment variables (including AWS keys) and send them to a remote server. @faker-js/faker (2022): The maintainer intentionally sabotaged the package, printing "LIBERTY LIBERTY LIBERTY" in an infinite loop. These aren't edge cases. Supply chain attac

Your npm/pip Install Just Ran Arbitrary Code — And You Didn't Notice

Related Articles

How Excel is Used in Real-World Data Analysis

IntentCAD v0.8.0 — Thirteen EPICs, One Day

A Growing Position Doesn't Always Mean Fresh Buying — Here's How to Tell

Tutorials Are Lying to You Here’s What Actually Works ?

Flutter Mistakes That Make Apps Slow ⚡

Related Articles

How-To
How Excel is Used in Real-World Data Analysis
Dev.to Beginners • 21m ago

How-To
IntentCAD v0.8.0 — Thirteen EPICs, One Day
Dev.to • 5h ago

How-To
A Growing Position Doesn't Always Mean Fresh Buying — Here's How to Tell
Dev.to Beginners • 6h ago

How-To
Tutorials Are Lying to You Here’s What Actually Works ?
Medium Programming • 9h ago

How-To
Flutter Mistakes That Make Apps Slow ⚡
Medium Programming • 9h ago