Mitigating Postinstall Attacks like the Shai‐Hulud Worm

Notes:

• Shai-Hulud worm reversinglabs.com, socket.dev

• npm ci and yarn install --frozen-lockfile are generally safe.

• npm install --ignore-scripts and yarn install --ignore-scripts are generally safe. (Ancient mitigation advice from npm)

• npm config set ignore-scripts true --global will protect npm install in general, but impedes local script running, so read on to learn about LavaMoat allow-scripts.

• yarn and yarn install are not safe if you have introduced any new dependencies to package.json anywhere in your project, and those new dependencies can force other dependencies to upgrade.

• The LavaMoat allow-scripts tool significantly limits attackers’ ability to execute arbitrary code with all of your user rights when you use npm install or yarn. The workflow for setting up LavaMoat includes npm configuration above and a mechanism to allow specific scripts.

• If you publish npm packages, make sure you have MFA set up https://docs.npmjs.com/configuring-two-factor-authentication This does not prevent an attacker from running arbitrary code and moving laterally throughout your system and connected devices, but does prevent them from using your credentials to publish packages and spread a worm.

• pnpm from version X is the only package manager that does not run postinstall scripts by default. CITATION NEEDED

• Do not use yarn version 3. Check with yarn --version. Note that the yarn version may depend on packageManager in your package.json. Add "packageManager": "yarn@4.9.1", for example. https://github.com/yarnpkg/berry/issues/6258

• ignore-scripts in Yarn configuration (.yarnrc) https://classic.yarnpkg.com/lang/en/docs/cli/config/ DETAILS NEEDED

• enableScripts: false in .yarnrc.yml CITATION NEEDED