npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

npmdemo-preinstall-recon

v1.0.4

Published

⚠️ 安全研究演示:npm preinstall 钩子静默环境探测 — 仅供安全教学,请勿用于恶意目的

Readme

09 — npm preinstall 脚本投毒演示

⚠️ 安全研究演示,仅供教学目的。所有数据仅写入本地,不进行任何网络请求。

攻击原理

npm 的 package.json 支持 preinstall 生命周期钩子——在 npm install 执行依赖安装之前自动运行指定脚本。攻击者只需在 scripts.preinstall 中植入恶意代码,用户执行 npm install 时就会静默执行,无需用户任何额外确认。

用户执行 npm install
  → npm 读取 package.json
  → 发现 scripts.preinstall: "node scripts/evil.js"
  → 在安装任何依赖之前,先执行 evil.js    ← 攻击发生!
  → 安装正常依赖,用户毫无察觉

与 Python 投毒的对比

| 维度 | Python (setup.py) | npm (preinstall) | |------|-------------------|-------------------| | 触发时机 | pip install | npm install | | 执行方式 | setup.py 顶层代码 | scripts.preinstall 字段 | | 用户感知 | 低(安装即执行) | 更低(隐式钩子,多数用户不检查) | | 防御手段 | --no-build-isolation | --ignore-scripts |

本 Demo 做了什么

npmdemo-preinstall-recon 模拟了一个"合法"的 npm 包,在 preinstall 钩子中:

  1. 静默收集主机名、用户名、平台、工作目录
  2. 扫描环境变量键名(仅键名,不读取值)
  3. 检测敏感变量是否存在(如 AWS_SECRET_ACCESS_KEYGITHUB_TOKEN 等)
  4. 将结果写入本地 .npmdemo-recon.json

关键:不会发送任何网络请求,不会泄露任何数据。

快速演示

方式一:安装触发 preinstall

cd 09_preinstall_script_npm

# 正常安装 — preinstall 钩子自动执行
npm install

# 查看探测结果
cat .npmdemo-recon.json

# 查看格式化报告
npx npmdemo-preinstall-recon
# 或
node src/index.js

方式二:禁用脚本安装(对比)

# 使用 --ignore-scripts 跳过所有生命周期钩子
npm install --ignore-scripts

# 此时不会有 .npmdemo-recon.json 生成
ls .npmdemo-recon.json 2>/dev/null || echo "探测结果未生成 ✅"

方式三:环境变量禁用探测

NPMDEMO_RECON_DISABLE=1 npm install
# 输出: [npmdemo-preinstall-recon] 探测已通过环境变量禁用,跳过。

运行测试

node __tests__/index.test.js

防御建议

| 策略 | 命令 / 方法 | 说明 | |------|------------|------| | 禁用生命周期脚本 | npm install --ignore-scripts | 最直接,但部分包依赖 postinstall | | 安装前审计 | 检查 package.jsonscripts 字段 | 手动检查最可靠 | | 使用 npm config | npm config set ignore-scripts true | 全局生效,需时再关闭 | | CI/CD 中锁定 | npm ci --ignore-scripts | CI 环境推荐 | | 只安装必要依赖 | 避免不必要的全局安装 | 减少攻击面 | | 审计依赖树 | npm audit / npm ls | 发现可疑间接依赖 |

文件结构

09_preinstall_script_npm/
├── package.json                 # 含 preinstall 钩子
├── scripts/
│   └── preinstall-recon.js      # preinstall 时执行的探测脚本
├── src/
│   └── index.js                 # 主模块,读取/模拟探测
├── __tests__/
│   └── index.test.js            # 测试
├── .gitignore
├── LICENSE
└── README.md

警告

⚠️ 本项目仅供安全研究与教学使用。 将类似技术用于未经授权的系统信息收集或数据窃取,可能违反相关法律法规。