Fellow developers, utilizing open source dependencies in your projects can bring many benefits, but it's important to be aware of the potential dangers as well. One hidden risk to watch out for are Install Scripts.
Install scripts are scripts that run automatically when a dependency is installed and can be used for tasks such as transpiling source code and fetching remote resources. However, they can also be used to execute malicious code on your system, potentially stealing data, encrypting files for ransom, or launching other attacks.
Using install scripts is a common method for spreading malware via npm packages, so it's essential to take extra precautions to protect yourself from malicious install scripts.
Blocking Install Scripts to avoid malware
Although it's possible to disable install scripts in package managers like npm, they by default automatically execute Install scripts automatically by default.
Option 1 - do it manually
One way to block install scripts and avoid malware is to disable them manually by using npm install --ignore-scripts
. However, this may be a challenge to enforce for an entire company or across all environments.
Option 2 - automatic enforcement for an entire company
Another option is to use a Dependency Firewall, such as Bytesafe, which allows you to quarantine unwanted open source packages with vulnerabilities or non-compliant licenses. The platform provides a policy engine where you define the open source usage and security rules and the Dependency Firewall does the enforcement.
The security policy Block Install Scripts for npm firewalls and registries can block all npm packages with pre- and post-install scripts, allowing you to use packages with confidence knowing they have been reviewed for potential security risks.
Keep in mind, packages may depend on install scripts, so some initial review work may be required.
Top comments (0)