Why are postinstall scripts dangerous?

Postinstall scripts run automatically with the developer’s full permissions during npm install. They can read files, make network requests, and modify configuration — all before anyone reviews the code. In AI coding environments, they can also install backdoor MCP servers or modify agent trust settings.

Does Guard block all postinstall scripts?

No. Guard pauses and shows you the script contents so you can decide. Many legitimate packages use postinstall scripts for compilation or setup. Guard gives you the information to make an informed choice, rather than blocking all scripts.

What is a typosquatting attack?

Typosquatting is when an attacker publishes a package with a name similar to a popular package — for example, "chark-utils" instead of "chart-utils". Developers who mistype the package name install the malicious version, which often includes a postinstall script.

critical severityCurated advisory

npm postinstall script abuse in AI coding environments

Malicious npm packages use postinstall scripts to execute arbitrary code during installation. In AI coding environments, these scripts can modify agent configuration, install backdoor MCP servers, or exfiltrate project secrets — all before the developer reviews the package.

Protect my harness Protect a team

Affected surfacesnpm postinstall scriptspackage.json dependenciesagent configuration filesproject .env files

The attack

What happens

An attacker publishes a malicious npm package (or compromises a popular one) that includes a postinstall script. When the package is installed — often as a transitive dependency — the script runs automatically with the user’s permissions, before anyone reviews the code.

Step by step

How the attack unfolds

1Attacker publishes a package with a helpful name similar to a popular package (typosquatting) or contributes a malicious postinstall to an existing package.

2Package is installed directly or as a transitive dependency during npm install.

3npm automatically runs the postinstall script defined in package.json.

4The script reads .env files, sends secrets to an external server, or modifies the agent’s configuration to trust a backdoor MCP server.

5The attack persists across reinstalls because the modified config file remains even after the package is removed.

Example

What it looks like in practice

Scenario

A developer runs npm install to add a charting library. A transitive dependency called "chart-utils" includes a postinstall script that reads the project’s .env file and sends its contents to an attacker server. The developer never sees the script because it runs in the background. The next day, the team’s API keys are used from an unfamiliar IP address.

Detection

How Guard catches this

Guard pauses any npm install that includes a postinstall script, showing the script contents for review.

Guard detects reads of .env, .npmrc, .aws/credentials, and other secret-bearing files during install.

Guard Cloud cross-references package names against known-malicious packages reported by security advisories.

Mitigation

How to stop it

Recommended action

Use Guard to pause package installs that include postinstall scripts. Review the script contents before allowing execution. Pin dependencies to known-good versions and use lockfiles to prevent unexpected version changes.

Guard configuration

Enable "Postinstall script review" to pause installs that include scripts and show their contents.

Enable "Secret file detection" to block reads of .env, .npmrc, and credentials files during installs.

Enable "Config file change detection" to alert when agent configuration files are modified during an install.

FAQ

Common questions

Related advisories

More threats to know about

high

Prompt injection via issue comments and pull requests

Attackers embed hidden instructions in GitHub issues, PR comments, and commit messages. When an AI agent reads these to help triage or review, it follows the embedded instructions — potentially approving malicious code or leaking repository secrets.

Read advisory

medium

Shadow MCP server discovery and persistent access

MCP servers added to a project during development can persist in configuration files and maintain access to the agent’s context window long after they are forgotten. These "shadow" servers continue receiving tool calls and may be modified by attackers who compromise the original server.

Read advisory

Stop this threat before it reaches your agent

Install HOL Guard to get real-time protection against this and every other advisory in our catalog.

Install HOL Guard See team plans