npmjs.com and preinstall ELF executables

Fri Jun 12 13:08:43 UTC 2026

On Fri, Jun 12, 2026 at 12:45:00PM +0000, Eric Cornelissen via rb-general wrote:
> Hi,
> 
> 
> While waiting for npm v12 you can instruct npm to ignore such script by setting `ignore-scripts=true` in `~/.npmrc`.
> 
> 
> However, both for what I and Marc said, there's a catch: the following bypasses any protections in place
> 
> 
> ```
> post_install() {{
>    cd /tmp
>    npm install --ignore-scripts=false REDACTED yargs
> }}
> ```
> 
> 
> I wrote up https://github.com/npm/rfcs/issues/896 regarding this, please consider adding a +1 or giving feedback.

How would any of that help in practice? If attacker can run arbitrary
command already, they can simply override the user configuration (for
example by setting alternative $HOME for the command). And even if
pre/post install scripts functionality would be completely removed from
npm, it still helps only a little, because attacker can simply call the
just installed package in the next command. Sure, it may look a little
more suspicious, but only a little, for example:

```
post_install() {{
   cd /tmp
   npm install REDACTED yargs
   REDACTED-tool generate-index
}}
```

IMO more effective would be preventing post-install scripts at the
earlier level - AUR package. But that's probably much less realistic
thing, as AFAIK those are quite common for legitimate purposes... Or
maybe at least run them (and the package build itself too) in a
network-isolated environment (network namespace? systemd-nspawn?). This
would force such malicious packages to rely on files already included in
the package, hopefully making detection significantly simpler.

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20260612/3632520e/attachment.sig>