A lifecycle script is code that a package manager runs automatically during key package events such as install, build, test, or publish. In ecosystems like npm, these hooks can be defined by the package author and executed on the machine that is installing the package, which makes them part of the software execution path rather than a passive download.
Lifecycle scripts matter because they can be abused for supply-chain attacks. A malicious package may use an install or build script to steal secrets, modify files, drop additional payloads, or tamper with release workflows. Defenders should treat script execution as a privilege boundary: limit which scripts are allowed to run, review dependencies before installation, and isolate CI jobs and build runners so untrusted package code cannot reach credentials or production systems.



