Malicious Install Script
preinstall / postinstall scripts in npm, setup.py in PyPI run during dependency resolution — code exec on the developer / CI host.
§ Where this technique fits
SUP-INSTALL-SCRIPT is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 3.7 on average.
§ Dossiers chaining this technique
- step 2 / 6
npm typosquat → developer workstation → corporate VPN
Publish a typosquat npm package; the developer's `npm install` runs the postinstall script, exfils SSH keys + VPN profile, then connects to the corporate network.
- step 3 / 5
Dependency confusion → internal CI compromise
Publish a public npm package with the name of a target's private internal dependency at a higher version. CI resolves the public one first and runs install scripts in privileged CI.
- step 6 / 6
Leaked GitHub PAT → org takeover → supply-chain push
A maintainer's PAT lands in a public Gist (or a Docker image layer). The token has repo + workflow scopes — push a malicious commit to a popular package, fire the auto-publish workflow.
§ What commonly comes next
- 01Command and Scripting Interpreterseen 1×T1059 · Execution
- 02Valid Accountsseen 1×T1078 · Initial Access