When installing dependencies, package managers like npm will automatically execute shell scripts distributed along with the source code. Post-install scripts, for example, are a common way to execute malicious code at install time whenever a package is compromised.

Ask Yourself Whether

• The execution of dependency installation scripts is required for the application to function correctly.

There is a risk if you answered no to the question.

Recommended Secure Coding Practices

Execution of third-party scripts should be disabled if not strictly necessary for dependencies to work correctly. Doing this will reduce the attack surface and block a well-known supply chain attack vector.

Sensitive Code Example

FROM node:latest

# Sensitive
RUN npm install

FROM node:latest

# Sensitive
RUN yarn install

Compliant Solution

FROM node:latest

RUN npm install --ignore-scripts

FROM node:latest

RUN yarn install --ignore-scripts

See

• MITRE, CWE-506 - Embedded Malicious Code
• MITRE, CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
• ESLint blog - Postmortem for Malicious Packages Published on July 12th, 2018