npm lifecycle script runs a remote-fetch-and-execute pattern
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A package.json preinstall/install/postinstall script pipes curl/wget straight into a shell, or runs a PowerShell IEX/Invoke-Expression or 'node -e' against a remote URL -- the exact technique used by real npm supply-chain malware to fetch a second-stage payload at install time.
Why it matters
A package.json preinstall/install/postinstall script that pipes curl or wget into a shell, or runs a PowerShell IEX/Invoke-Expression, or calls 'node -e' against a remote URL, is fetching and executing code from the network the moment someone runs npm install -- before any of the package's own reviewed code even runs. This is the exact mechanism used by real npm supply-chain malware to drop a second-stage payload, so a match here deserves scrutiny even if it turns out to be a legitimate (if risky) build step.
How to fix it
Replace the remote-fetch-and-execute pattern with a pinned, checksummed download (fetch a specific release asset and verify its hash) or, better, vendor the tool as a normal versioned dependency instead of a lifecycle script. If the script is legitimate, add a code comment explaining exactly what it fetches and why, so a future reviewer does not have to guess.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo