保護DataHogo
Security Encyclopedia/Project Config Best Practices
mediumCWE-78A06:2021

Insecure npm Scripts

npm scripts that fetch and execute remote code, or that embed secrets as shell arguments, are a supply chain and credential exposure risk.

How It Works

npm scripts run with the same permissions as the developer's or CI system's user. A script that does curl https://remote-server/setup.sh | bash executes arbitrary remote code. Scripts with embedded secrets (--token=sk_prod_abc123) expose those values in process listings and CI logs.

Vulnerable Code
// BAD: scripts that fetch remote code or embed secrets
{
  "scripts": {
    "setup": "curl https://external.com/setup.sh | bash",
    "deploy": "deploy-tool --api-key=sk_prod_secret123 --env=production"
  }
}
Secure Code
// GOOD: scripts use local tooling and reference env vars
{
  "scripts": {
    "setup": "node scripts/setup.js",
    "deploy": "deploy-tool --api-key=$DEPLOY_API_KEY --env=production"
    // DEPLOY_API_KEY is set in CI secrets, not hardcoded
  }
}

Real-World Example

CI/CD log exposure incidents frequently reveal secrets embedded in npm script arguments. Process listing tools in Linux also show full command line arguments, meaning a secret passed as --token=value is visible to any process on the same machine.

How to Prevent It

  • Never embed secrets as command line arguments — always use environment variables
  • Avoid piping remote URLs to bash in npm scripts — vendor the script locally instead
  • Audit all npm scripts with 'npm run-script' and review any that make network calls
  • Use CI secret masking to prevent secrets from appearing in logs even if accidentally logged

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No .env.example File

low

Without a .env.example file, new contributors don't know what environment variables are required, leading to insecure workarounds like hardcoding values.

CWE-1059

No Security Linting

low

Without security-focused ESLint rules, common vulnerabilities like XSS sinks, dangerouslySetInnerHTML, and eval() usage slip through code review.

CWE-1076A06:2021

No Git Security Hooks

low

Without pre-commit hooks that scan for secrets and security issues, developers can accidentally push API keys and passwords to the repository.

CWE-1059A02:2021

Inadequate .gitignore

medium

A .gitignore that doesn't cover .env files, build artifacts, and IDE configs can lead to secrets or sensitive data being accidentally committed.

CWE-540A02:2021