Supply chain

Development at home: npm install is not just downloading files

Developers and tinkerers often run package installs at home on machines that also touch email, banking, family photos or work. Package managers can execute code during install. That tiny convenience gap is large enough to drive malware through.

Nigel version

Treat npm, pnpm, bun, pip, composer and one-line install scripts as code execution, not content download. Especially on a home machine with real accounts logged in.

Wikimedia Commons: npm logo

Terminal window — Wikimedia Commons: terminal screenshot

Browser extension screenshot — Wikimedia Commons: browser extension screenshot

Install path

From weekend demo to account reach

This is why the page is blunt about package installs. The risky part is not reading a README. It is running setup inside the same user profile that holds real accounts.

README

Looks useful. Copy the setup command.

package install

npm, pnpm, bun, pip or Composer resolves dependencies.

lifecycle hook

preinstall, install or postinstall can run before you inspect much.

local reach

Shell tokens, SSH keys, browser sessions and files become the prize.

Blast radius

The project lives away from useful secrets, so a bad install has less to steal.

Install discipline

A fast command from a README can still run code faster than a human can read the dependency tree.

Explain the jargon

Small terms, big consequences

Tap a term for the plain-English version and the practical move. No fake mystique, just the bit that changes what you do at home.

?Lifecycle script

A package-manager hook that can run during install, such as preinstall, install or postinstall.

Do this: Check package.json and dependency changes before installing unfamiliar projects.

?npx/bunx

Convenience commands that fetch and run a package quickly. That speed is the point, and also the risk.

Do this: Run unknown tools in a container, VM or throwaway profile rather than your main daily-use account.

?Blast radius

The set of accounts, files, tokens and sessions a mistake can reach from where you ran the command.

Do this: Keep browser sessions, SSH keys, cloud tokens and work material out of untrusted dev environments.

Do this

Do development in a separate profile, VM, dev container or spare machine where practical.
Read package.json scripts and lockfile changes before installing unfamiliar dependencies.
Avoid running random one-line curl/bash, npx, bunx, pip or composer commands from blogs on a sensitive daily-use machine.
Use package-manager controls such as ignored scripts, frozen lockfiles and trusted registries when working on serious projects.
Keep SSH keys, cloud tokens, browser sessions and password-manager unlocks away from untrusted test projects.

Check

Can this install run lifecycle scripts?
Did a new dependency add postinstall/preinstall hooks?
Are personal/work tokens available in the shell?
Is this project isolated from normal browser/email/banking?
Would you run this command on a work build runner?

Avoid

Thinking npm install only downloads text files.
Running npx/bunx random-tool@latest because a README said so.
Testing shady repos on the same laptop that stores browser sessions, SSH keys and tax documents.
Ignoring package scripts because the command completed quickly.

Full guidance

The quick GitHub demo

A developer clones a promising weekend AI tool and runs npm install on the same laptop used for work email, banking and cloud storage.

Better response

• Run it in a dev container or VM first
• Inspect package.json lifecycle scripts
• Keep tokens and browser sessions out of the test environment

Worse habit

Treating postinstall output as harmless setup noise because the demo looked useful.

Routers & Wi‑Fi Passwords & MFA Updates & Apps VPNs & Proxies Family Rules Smart Home Work Boundary AI Agents Recovery Home Dev Online Safety Products