An install-time hook is code that runs automatically while a package is being installed, before the application is launched. In package ecosystems, this can be a lifecycle script or installer action that executes as part of dependency setup. Because it runs during installation, the hook may execute with the permissions and environment of the developer machine, build server, or CI job.
This matters in cyber security because install-time hooks can turn a routine dependency update into code execution. Attackers abuse them to steal tokens, alter build artifacts, drop additional payloads, or collect environment secrets before defenders notice. Security teams monitor these hooks by reviewing package metadata, restricting scripts in trusted and untrusted dependencies, pinning versions, and using build isolation so installation has minimal access to credentials. In defense, the key question is not only whether a package is safe to import, but whether it is safe to install at all.