npmjs.com and preinstall ELF executables
Eric Cornelissen
ericco at kth.se
Tue Jun 16 08:19:15 UTC 2026
> How would any of that help in practice?
It's just a hardening measure against the particular attack (attempt) described in the original message.
I fully agree it does not prevent such attacks in general.
Regards,
Eric
________________________________
From: Marek Marczykowski-Górecki <marmarek at invisiblethingslab.com>
Sent: Friday, June 12, 2026 3:08:43 PM
To: General discussions about reproducible builds
Cc: Eric Cornelissen
Subject: Re: npmjs.com and preinstall ELF executables
On Fri, Jun 12, 2026 at 12:45:00PM +0000, Eric Cornelissen via rb-general wrote:
> Hi,
>
>
> While waiting for npm v12 you can instruct npm to ignore such script by setting `ignore-scripts=true` in `~/.npmrc`.
>
>
> However, both for what I and Marc said, there's a catch: the following bypasses any protections in place
>
>
> ```
> post_install() {{
> cd /tmp
> npm install --ignore-scripts=false REDACTED yargs
> }}
> ```
>
>
> I wrote up https://github.com/npm/rfcs/issues/896 regarding this, please consider adding a +1 or giving feedback.
How would any of that help in practice? If attacker can run arbitrary
command already, they can simply override the user configuration (for
example by setting alternative $HOME for the command). And even if
pre/post install scripts functionality would be completely removed from
npm, it still helps only a little, because attacker can simply call the
just installed package in the next command. Sure, it may look a little
more suspicious, but only a little, for example:
```
post_install() {{
cd /tmp
npm install REDACTED yargs
REDACTED-tool generate-index
}}
```
IMO more effective would be preventing post-install scripts at the
earlier level - AUR package. But that's probably much less realistic
thing, as AFAIK those are quite common for legitimate purposes... Or
maybe at least run them (and the package build itself too) in a
network-isolated environment (network namespace? systemd-nspawn?). This
would force such malicious packages to rely on files already included in
the package, hopefully making detection significantly simpler.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20260616/5d62cfa6/attachment.htm>
More information about the rb-general
mailing list