[tomxor]

At this point lifecycle script should be disabled by default in NPM.

It's a convenience feature that provides built-in Arbitrary Code Execution (even for transient dependencies), and every one of these widespread NPM worm style attacks has propagated through it, because of the default setting. Also enabling it for one command shouldn't automatically permit all transient dependencies to run lifecycle scripts, it should be required to explicitly mark each dependency to limit it to where it's absolutely necessary.

The vast majority of NPM packages do not depend on these scripts, and you should disable them globally if you haven't already.

[bakkoting]

There's an RFC for this: https://github.com/npm/rfcs/pull/868

[hirako2000]

Or simply use pnpm.

[tomxor]

That's helpful to prevent individual secret harvesting, however it does not protect you from potential silent downstream effects in packages. i.e. inclusion of malicious code in libraries you depend on, this could be as simple as inserting a cryptominer, or as severe as data exfil in a front end package.

This default can affect all consumers of NPM packages, regardless of whether you use yarn, pnpm or npm itself, because most package maintainers use NPM. This is why it's NPM's responsibility to change this default in order to prevent spread of malware in packages.

[josephg]

Yeah. Or they should run in a sandbox. I would have no problem with a post install script which ran arbitrary commands in the context of the installed package itself. But arbitrary scripts + user level permissions is a recipe for disaster.

That said, packages could still just run whatever junk they want when they first get imported in a program.