Skip to content

Mitigating Postinstall Attacks like the Shai‐Hulud Worm

Jump to bottom
Kris Kowal edited this page Sep 16, 2025 · 12 revisions

Notes:

  • Shai Hulud Worm

  • npm ci and yarn install --frozen-lockfile are generally safe.

  • yarn and yarn install are not safe if you have introduced any new dependencies to package.json anywhere in your project, and those new dependencies can force other dependencies to upgrade.

  • The LavaMoat allow-scripts tool significantly limits attackers’ ability to execute arbitrary code with all of your user rights when you use npm install or yarn.

  • If you publish npm packages, make sure you have MFA set up https://docs.npmjs.com/configuring-two-factor-authentication This does not prevent an attacker from running arbitrary code and moving laterally throughout your system and connected devices, but does prevent them from using your credentials to publish packages and spread a worm.

  • Do not use yarn version 3. Check with yarn --version. Note that the yarn version may depend on packageManager in your package.json. Add "packageManager": "yarn@4.9.1", for example. https://github.com/yarnpkg/berry/issues/6258

  • ignore-scripts in Yarn configuration (.yarnrc) https://classic.yarnpkg.com/lang/en/docs/cli/config/ DETAILS NEEDED

  • pnpm is the only package manager that does not run postinstall scripts by default.

  • enableScripts: false in .yarnrc.yml CITATION NEEDED

Clone this wiki locally