Malicious Install Scripts

Several ecosystems run code when you install a package, before any of your own code executes. npm has preinstall/postinstall; Python's setup.py runs on build/install. That's a gift to attackers: the payload fires the moment a dependency lands in your machine or CI runner.

What they do

Because it runs in CI, the blast radius is your whole pipeline, and often production credentials.

Why scanners miss them

How to defend

How Verifi analyses packages →