Skip to content

Mitigating Postinstall Attacks like the Shai‐Hulud Worm

Jump to bottom
Kris Kowal edited this page Sep 17, 2025 · 12 revisions

Notes:

  • Shai-Hulud worm reversinglabs.com, socket.dev.

  • Mitigation of install script attacks in general nodejs-security.com, blog.npmjs.org.

  • npm ci and yarn install --frozen-lockfile are generally safe.

  • npm install --ignore-scripts and yarn install --ignore-scripts are generally safe.

  • npm config set ignore-scripts true --global will protect npm install in general, but impedes local script running, so read on to learn about LavaMoat allow-scripts.

  • For yarn, add {"enableScripts": false} to your project’s .yarnrc.yml to disable install scripts https://yarnpkg.com/configuration/yarnrc#enableScripts

  • yarn and yarn install are not safe if you have introduced any new dependencies to package.json anywhere in your project, and those new dependencies can force other dependencies to upgrade.

  • The LavaMoat allow-scripts tool significantly limits attackers’ ability to execute arbitrary code with all of your user rights when you use npm install or yarn. The workflow for setting up LavaMoat includes npm configuration above and a mechanism to allow specific scripts.

  • If you publish npm packages, make sure you have MFA set up https://docs.npmjs.com/configuring-two-factor-authentication This does not prevent an attacker from running arbitrary code and moving laterally throughout your system and connected devices, but does prevent them from using your credentials to publish packages and spread a worm.

  • pnpm from version 10 is the only package manager that does not run postinstall scripts by default. https://en.kelen.cc/share/pnpm-v10-update-highlights

  • Do not use yarn version 3. Check with yarn --version. Note that the yarn version may depend on packageManager in your package.json. Add "packageManager": "[email protected]", for example. https://github.com/yarnpkg/berry/issues/6258

  • ignore-scripts in Yarn configuration (.yarnrc) https://classic.yarnpkg.com/lang/en/docs/cli/config/ DETAILS NEEDED

At this point we should question the correctness of a package that relies on postinstall to prepare binary dependencies. It is now possible, with conditional dependencies, to create packages with precompiled binaries for all supported architectures and platforms. If you have a dependency that you need and that does not do this, it would be fair to file an issue and cite this article:

https://sentry.engineering/blog/publishing-binaries-on-npm

And the ample evidence provided by esbuild in particular that this is possible:

https://www.npmjs.com/search?q=esbuild-

Clone this wiki locally