Install-time execution is code that runs while software is being installed, before the application launches. In package ecosystems such as npm, this can happen through lifecycle scripts, build hooks, or native-module compilation steps. The key security issue is that a dependency can execute attacker-controlled logic as soon as it is downloaded and installed, turning a routine setup step into an execution boundary.
This matters because install environments often contain valuable secrets: API tokens, SSH keys, cloud credentials, and CI runner access. Malicious packages can use install-time execution to harvest those secrets, modify build output, or establish persistence before normal app controls are active. Defenders reduce the risk by pinning versions, reviewing advisories, restricting script execution in pipelines, isolating build hosts, and treating any machine that installed a malicious package as potentially compromised.