[FIXED] Does NPM install run in a sandbox?


Basically what’s to prevent me from publishing an NPM module with arbitrary installation script that steals everything from your computer when you npm install my-malicious-package if the installation is not running in sandbox?

In this article they suggest that most of the attackers would place their malicious script in the pre/post install hooks. That’s easy to detect and filter out. I’m mostly concerned with the actual installation of the package where arbitrary could be ran.


The only way that npm itself runs package code is in install hooks.

If you disable install hooks, no untrusted code can run until you actually load it in your application (at which point you’re hosed).

Answered By – SLaks

Answer Checked By – Katrina (Easybugfix Volunteer)

Leave a Reply

(*) Required, Your email will not be published