← Back to blog

Think Before You `install`: How a Git Clone Can Compromise Your System

You've just found the perfect project on GitHub—maybe you discovered it yourself, or someone portraying themselves as a hiring manager or offering freelance work sent it to you. It has all the features you need, and the code looks clean. You clone it, run npm install or pnpm install, and get to work. But what if that simple command was the last safe thing you did on your computer? This isn't just a scare tactic; it's a real threat that every developer needs to understand.

The Hidden Danger in package.json

When you run npm install or pnpm install, you're not just downloading the project's direct dependencies. You're also executing scripts that the package authors have defined. These scripts, found in the scripts section of the package.json file, can be set to run before or after the installation process using hooks like preinstall or postinstall.

This is where the scam begins. Malicious actors can publish packages that seem harmless but contain a dangerous script. When you install this package, either directly or as a dependency of another package, this script runs on your machine with the same permissions as your user account.

A real-world example of this is the http-req-logger package, as detailed in the GitHub advisory GHSA-vp4c-hx29-2cr6. This package contained malicious code that was executed upon installation, compromising the host machine.

How to Protect Yourself: Audit Your Dependencies

So, how do you protect yourself from these "supply chain attacks"? The answer is to be vigilant and audit your dependencies before you install them. Here's how:

  1. Inspect package.json: Before you run any installation commands, open the package.json file and look at the dependencies, devDependencies, and scripts sections. Be wary of any unfamiliar packages or strange scripts.

  2. Use pnpm audit: If you're using pnpm, you have a powerful tool at your disposal. Before installing, you can run:

    pnpm audit

    This command will check your project's dependencies against a database of known security vulnerabilities and warn you of any potential threats.

  3. Check Lock Files: The package-lock.json (for npm) or pnpm-lock.yaml (for pnpm) file contains a detailed list of every single package that will be installed, including dependencies of your dependencies. A quick scan of this file can help you spot anything that looks suspicious.

The Worst-Case Scenario: A Full System Wipe

If you do fall victim to a malicious package, the consequences can be severe. The script runs with your user's permissions, giving it access to everything you can access. Depending on the payload of the malicious script, a hacker could:

  • Steal all your environment variables: The script can read your .env files and shell variables, sending sensitive information like API keys, database credentials, and other secrets directly to the attacker's server.
  • Steal your personal data, including passwords and private keys from your home directory.
  • Install a keylogger to record everything you type.
  • Use your machine to mine cryptocurrency.
  • Encrypt your files and demand a ransom (ransomware).

In the most extreme cases, the only way to be sure that your system is clean is to completely format your device and reinstall the operating system. This is a drastic step, but it's often the only way to guarantee that all traces of the malware are gone.

The Takeaway

The convenience of package managers is undeniable, but it comes with a risk. Always remember:

  • Trust, but verify: Don't blindly install dependencies, even from seemingly reputable projects.
  • Audit everything: Make pnpm audit a regular part of your workflow.
  • Stay informed: Keep up to date with the latest security vulnerabilities and best practices.

By taking a few extra precautions, you can protect yourself from the devastating consequences of a malicious package and avoid the nightmare of having to format your device. Stay safe out there!