The normal trust boundary breaks. If a package can run through import-time code or startup hooks, it can read secrets, modify runtime state, and exfiltrate credentials before developers or defenders see application logic. That is why dependency review must include execution behaviour, not just version tracking and signature checks.
Why This Matters for Security Teams
Package execution before application startup turns dependency management into a runtime security problem, not just a software supply chain problem. If install hooks, import-time code, or build-time scripts can execute, a trusted package may inspect environment variables, alter process behaviour, or access secrets before the application’s own controls load. That means signature validation and version pinning are necessary but not sufficient.
NHI Management Group has shown how often identity risk hides in ordinary software paths: Ultimate Guide to NHIs notes that 96% of organisations store secrets outside secrets managers, and 79% have experienced secrets leaks. In practice, many security teams encounter package-triggered credential exposure only after a build agent, CI runner, or production host has already executed the code path that harvested those secrets.
That is why the question is not only “is the package trusted?” but “what is the package allowed to do before the app exists?” Current guidance from NIST Cybersecurity Framework 2.0 points teams toward stronger governance, but it does not remove the need to inspect package execution behaviour directly.
How It Works in Practice
The main control objective is to reduce or contain executable behaviour during dependency resolution, installation, and import. Security teams should treat packages as active code paths, not passive artifacts. A package can run through setup scripts, post-install hooks, module imports, or plugin registration, and each stage may occur before application policy, authentication, or logging is fully initialized.
Practically, defenders should combine software supply chain checks with runtime guardrails:
- Block or review packages that execute during install unless there is a documented business need.
- Isolate builds and startup in restricted environments with no ambient access to production secrets.
- Use short-lived, scoped credentials so any startup-time access is limited to the minimum window.
- Prefer dependency scanners that detect code execution paths, not only known CVEs or signatures.
- Monitor for unexpected process creation, outbound connections, and secret access during import or bootstrap.
For teams assessing supply-chain abuse patterns, the LiteLLM PyPI package breach is a useful reminder that package trust can be weaponised before a user ever reaches application logic. That is consistent with the broader NHI risk picture in Ultimate Guide to NHIs, where credential exposure and weak visibility frequently amplify initial access into wider compromise.
These controls tend to break down in CI/CD systems that reuse persistent runner credentials and mount broad secret stores, because startup-time code can access enough privilege to exfiltrate data before monitoring or policy enforcement catches up.
Common Variations and Edge Cases
Tighter controls on package execution often increase build friction, so organisations have to balance developer speed against the risk of silent code execution. Best practice is evolving here, and there is no universal standard for which packages should be allowed to run install-time code in every environment.
Some ecosystems make execution harder to avoid because plugins, entry points, or native extensions are core to how the application starts. In those cases, the safer pattern is to confine execution to isolated build stages, enforce least privilege for startup credentials, and require explicit approval for packages that request network or filesystem access during import. Where dependencies are internally maintained, teams should still assume compromise is possible and verify behaviour rather than pedigree alone.
For governance, the NIST Cybersecurity Framework 2.0 can anchor policy, but operational teams still need package-level execution review and secrets minimisation. The key edge case is any environment that starts untrusted code with access to long-lived API keys, because a single import can become a full credential compromise before the application emits its first log line.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Startup code can expose long-lived NHI secrets before controls load. |
| OWASP Agentic AI Top 10 | AGENT-04 | Executable dependencies can act before policy is enforced, like hostile tools. |
| NIST AI RMF | Autonomous runtime effects create AI-style governance risk around unexpected actions. |
Apply AI RMF governance to require approval, monitoring, and accountability for executable dependencies.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
