> it installs that commit's declared dependencies (which include bun) and then runs its prepare lifecycle script

Again? How have lifecycle scripts not instantly been defaulted off? Yes breaking things is bad, but come on, this keeps happening, the fix is easy, and if an *javascript* build relies of dependendlcy of dependency's pulled build time script, then it's worth paying in braincells or tokens to digure it out and fix the biold process, or lately uncover an exploit chain. This isn't even a compiled language.

▲

mdavidn 4 hours ago | parent [-]

If the payload couldn't execute at install time, it would at runtime? Disabling prepare scripts does not seem like an effective countermeasure.

	▲	igregoryca 3 hours ago \| parent \| next [-]
		Postinstall scripts have remained an effective attack vector for quite a while – which, ironically, has meant the worm's authors had little incentive to try something else, so it was easier to inoculate yourself. Alas, you're right, it should be pretty simple to bypass this kind of protection, if they haven't already (and seems like they have).
	▲	ChocolateGod 3 hours ago \| parent \| prev [-]
		Well at runtime one would hope they're not giving their JS app access to their home folder.