npm
Node.js package manager abuse techniques
high
Dependency Confusion
Dependency Confusion
Dependency confusion exploits the way npm resolves package names by publishing a public package with the same name as a private, …
Linux
macOS
Windows
critical
Code Execution
Lifecycle Script Abuse
npm supports lifecycle scripts such as preinstall, postinstall, and preuninstall that execute arbitrary shell commands during package …
Linux
macOS
Windows
medium
Configuration Abuse
.npmrc Manipulation
.npmrc files control npm behavior including registry URLs, authentication tokens, and script execution settings. An attacker with file write …
Linux
macOS
Windows
high
Code Execution
npx Remote Execution
npx is a convenience tool that downloads and immediately executes packages from the npm registry without requiring an explicit install step. …
Linux
macOS
Windows
critical
Supply Chain
Package Hijacking
Package hijacking occurs when an attacker gains control of a legitimate maintainer's npm account and publishes trojanized versions of …
Linux
macOS
Windows