Required Reading
~5 minDangerous Behaviors
The patterns attackers use most often in npm.
Patterns
Install‑time code execution
- Lifecycle scripts (preinstall, install, postinstall, prepare) can run arbitrary code during npm i.
- child_process calls (exec, spawn, execSync) launch shell commands.
Credential/secret stealing
- Reads process.env or files like .npmrc, .ssh, .aws/credentials; exfiltrates secrets.
- Outbound to webhooks or suspicious hosts.
Crypto‑miners & payload droppers
- Downloads large binaries or decodes buffers to write executables.
- Runs via child_process; often obfuscated.
Typosquats / brandjacking
- Names mimicking popular packages; minimal README; suspicious repo.
Supply‑chain compromises
- New maintainer + obfuscation + unusual version jumps; legitimate project turned malicious.
Native add‑ons with remote binaries
- curl https://… | bash, Invoke‑WebRequest, chmod +x, ./installer from unknown hosts.
Grayware/spyware
- Phones home extensive system/CI metadata without consent; often hidden in postinstall.
Obfuscated eval & dynamic require
- eval(Function) with encoded strings, dynamic require paths, and runtime decoding.
Environment scraping
- Enumerates env vars like AWS_*, GITHUB_*, NPM_*; reads config files and user directories.