aikidoodoo

A benign, educational install-hook demonstrator for testing software supply chain security tooling.

Purpose

aikidoodoo exists to be detected. It is a flagship test package for validating that supply-chain dependency scanners, install-script auditors, and CI security gates correctly flag packages that execute code during installation.

Modern attacks frequently abuse npm lifecycle hooks (preinstall, install, postinstall) to run arbitrary code the moment a dependency is pulled in — often transitively, without the developer ever reviewing it. Security teams need a known, safe, well-understood sample to verify their detection actually works. This package is that sample.

Point your scanner at it and confirm it raises:

• presence of a lifecycle install script (preinstall)
• the script spawning child processes
• the script launching GUI windows

What it actually does

On preinstall, preinstall.js opens a few small browser windows that play a short video bundled in assets/. That's the entire behavior. It is deliberately visible and harmless so the effect of an install hook is obvious and observable.

This is not malware

It is solely for educational and security-testing purposes. Specifically, it does not:

• read, modify, or delete any file outside its own package directory
• access environment variables, credentials, tokens, or SSH keys
• make any network request or exfiltrate any data
• install, persist, or schedule anything beyond the foreground windows
• target any specific user, machine, or organization

The only side effect is the windows it opens, which you can close at any time. The full source is preinstall.js — short enough to read in under a minute.

Usage

npm install aikidoodoo

Or inspect without running the hook:

npm pack aikidoodoo   # download the tarball and read preinstall.js

License

MIT