From 474b05fe1f6564b92dd161c0685d2239b66256b1 Mon Sep 17 00:00:00 2001
From: dbutts29 <darren.butts@rollbar.com>
Date: Fri, 12 Jun 2026 16:06:24 -0700
Subject: [PATCH] Add .npmrc ignore-scripts=true (Miasma install-hook
 mitigation)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Blocks dependency lifecycle scripts (preinstall/install/postinstall) from
auto-executing on npm install — the Miasma / Shai-Hulud install-hook vector.
Blunt fleet-wide mitigation; does not stop runtime import/require malware.

PLA-1595

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .npmrc | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .npmrc

diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..97b895e
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1 @@
+ignore-scripts=true