install-scripts
Safeguard articles tagged "install-scripts" — guides, analysis, and best practices for software supply chain and application security.
4 articles
Lessons from the ua-parser-js Compromise: Four Hours, Eight Million Downloads a Week
A hijacked npm account turned a tiny User-Agent parser into a cryptominer and password stealer for a few hours in 2021. Here is what account takeover does at ecosystem scale.
Best Practices for npm Lockfile Security 2026
Your package-lock.json is a supply chain control, not build noise. Six habits — npm ci, script blocking, lockfile linting, provenance checks — that stop most npm attacks cold.
Mitigating npm Install Scripts Without Breaking Your Build
`--ignore-scripts` is the blunt fix that breaks node-sass and better-sqlite3. Here is the surgical version that keeps builds green and postinstalls contained.
npm Install Script Security: The Code That Runs Before Your Code
npm install scripts execute arbitrary code during package installation. They are the most exploited vector in JavaScript supply chain attacks.