The install step stops being a safe execution boundary. A malicious preinstall script can read cached secrets, harvest tokens, and use legitimate identities to republish packages or access cloud systems. The failure is not only malware execution, but the presence of durable credentials in a context that assumes untrusted code cannot reach them.
Why This Matters for Security Teams
npm install scripts are often treated as routine build-time code, but that assumption fails the moment long-lived credentials are present in the same execution environment. A preinstall or postinstall hook can read environment variables, access local caches, and call internal or cloud APIs with the same identity a trusted service would use. That turns dependency installation into a privilege boundary failure, not just a software hygiene issue.
This is why NHI security guidance keeps emphasising secret scope and lifecycle, not just secret strength. When durable tokens sit on developer workstations, build runners, or shared automation accounts, a package install becomes a credential collection opportunity. The risk is amplified by the speed of modern supply-chain abuse, as shown in the Shai Hulud npm malware campaign and the broader patterns documented in the 52 NHI Breaches Analysis. In practice, many security teams encounter credential abuse only after package compromise or repository tampering has already occurred, rather than through intentional review of install-time trust boundaries.
How It Works in Practice
Install scripts break assumptions because they execute with the privileges of the user or runner performing the install. If that context has access to long-lived cloud keys, package publish tokens, signing certificates, or internal API secrets, the script can exfiltrate them quietly and then reuse them outside the original environment. The problem is not unique to npm, but npm’s lifecycle hooks make it especially easy for malicious code to run during routine dependency resolution.
Current best practice is to treat install-time code as untrusted by default and reduce what it can reach. That usually means separating dependency fetching from execution, removing secrets from build environments, and replacing durable credentials with short-lived tokens issued only when a task actually needs them. NHI guidance increasingly recommends Static vs Dynamic Secrets thinking: ephemeral credentials limit the blast radius when a package or transitive dependency turns hostile. The same direction is reinforced by the OWASP Non-Human Identity Top 10, which highlights overprivileged and poorly governed workload identities.
- Run installs in isolated build containers with no access to production secrets.
- Use JIT credential issuance so the installer never sees reusable long-lived tokens.
- Prefer workload identity federation or scoped ephemeral tokens over static environment variables.
- Block lifecycle scripts where possible, or review them as code with the same scrutiny as application logic.
For identity proof, the direction of travel is toward workload identity and runtime policy rather than persistent shared secrets. That is aligned with the NIST view of digital identity assurance in NIST SP 800-63 Digital Identity Guidelines, even though npm install scripts are an engineering control problem more than a human login problem. These controls tend to break down when build runners are shared across teams because one compromised pipeline can inherit secrets intended for another.
Common Variations and Edge Cases
Tighter install-time controls often increase build friction, requiring organisations to balance developer convenience against supply-chain risk. That tradeoff is real, especially where legacy packages depend on lifecycle hooks or where CI systems were designed around static secrets. Best practice is evolving, but there is no universal standard for exactly how much script execution should be blocked versus sandboxed.
Edge cases appear in monorepos, self-hosted runners, and air-gapped environments where teams assume the threat is lower because internet access is limited. The risk still persists if the runner can reach artifact repositories, signing services, or internal APIs. Secret sprawl becomes especially dangerous in these environments, which is why NHI research on the Secret Sprawl Challenge remains directly relevant. The right question is not whether npm scripts are “trusted,” but whether any credential present at install time is constrained enough to survive malicious code.
One useful operational rule is simple: if a token would be damaging in the hands of arbitrary dependency code, it should not exist in the install context at all. That is the clearest dividing line between manageable build automation and a supply-chain incident waiting to happen.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Long-lived secrets in install scripts create overexposed NHI credentials. |
| OWASP Agentic AI Top 10 | Untrusted code executing with tool access mirrors autonomous execution risk. | |
| NIST AI RMF | Install scripts introduce contextual risk that needs ongoing governance. |
Replace static install-time secrets with short-lived, scoped credentials and revoke them after each task.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
