Comment on page


Threat coverage during the installation process.
Currently, provides coverage from a range of attack vectors that trigger during the installation phase.
Eseentially, this is the stage where your project is built by running the npm install command inside your local environment or CI system. At this point, the package.json file is used as a manifest for building your project. This manifest typically contains the dependencies to be installed (and downloaded), as well as a collection of scripts to be executed as a part of the process.
During this phase, we watch for common attack vectors and known indicators of harmful behavior including:
  • Spawning of suspicious child processes
  • Sensitive data/credential exfiltration (e.g malicious code exfiltrating environment variables or secrets)
  • Suspicious network connections (e.g. pulling a malicious payload from an unauthorized source)
  • Suspicious filesystem access (e.g. tampering/reading contents of sensitive directories such as .ssh)
Our starting coverage is on threats that trigger during the installation/build phase, which is the stage where 3rd party open source code gets bundled with internal application code.
The most common method for malware delivery on npm is through the install scripts which allow for arbitrary code execution on host systems. According to 2022 paper, 94% of malicious packages contained at least one install script. Read more about this attack vector in this blog post.
Last modified 8mo ago
© 2023 Garnet Labs