Will It Vibe logoWill It Vibe?
SCA-026High severity-15 points

npm lifecycle script runs a remote-fetch-and-execute pattern

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A package.json preinstall/install/postinstall script pipes curl/wget straight into a shell, or runs a PowerShell IEX/Invoke-Expression or 'node -e' against a remote URL -- the exact technique used by real npm supply-chain malware to fetch a second-stage payload at install time.

Why it matters

A package.json preinstall/install/postinstall script that pipes curl or wget into a shell, or runs a PowerShell IEX/Invoke-Expression, or calls 'node -e' against a remote URL, is fetching and executing code from the network the moment someone runs npm install -- before any of the package's own reviewed code even runs. This is the exact mechanism used by real npm supply-chain malware to drop a second-stage payload, so a match here deserves scrutiny even if it turns out to be a legitimate (if risky) build step.

How to fix it

Replace the remote-fetch-and-execute pattern with a pinned, checksummed download (fetch a specific release asset and verify its hash) or, better, vendor the tool as a normal versioned dependency instead of a lifecycle script. If the script is legitimate, add a code comment explaining exactly what it fetches and why, so a future reviewer does not have to guess.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks