Protecting against compromised packages

· Tech

TLDR: In the AI sandbox, compromised packages can only see source code. In the dev stack container, use multi-stage Docker builds: install dependencies in a stage with no secrets, run the app in a stage with secrets. This prevents malicious postinstall scripts from stealing env vars. Runtime exploits (malicious code at require() time) remain the hardest problem.

AI sandbox: fully protected

A compromised npm postinstall script inside the AI sandbox can only access source code. No secrets, no SSH keys, no tokens. A supply chain attack is reduced from “entire workstation” to “a copy of code already in git.”

Same for poisoned MCP servers (even if one convinces Claude to cat ~/.ssh/id_rsa, that file does not exist in the sandbox), malicious Claude hooks (scripts on events like SessionStart that could exfiltrate data), and third-party extensions. As the AI plugin ecosystem grows, any code running inside the sandbox is contained by the same boundary. You do not need to audit every extension.

Dev stack container: the gap

Your API container gets secrets via infisical run -- docker compose up. When pnpm install runs inside that container, every postinstall script has access to those env vars. A compromised pnpm or malicious package can read STRIPE_SECRET_KEY.

The fix: multi-stage builds

Separate the install step (no secrets) from the runtime step (secrets present):

# Stage 1: Install dependencies (NO secrets)
FROM node:20-alpine AS deps
WORKDIR /app
COPY package.json pnpm-lock.yaml ./
RUN corepack enable && pnpm install --frozen-lockfile
# postinstall scripts run HERE with zero secrets


# Stage 2: Runtime (secrets arrive via env vars)
FROM node:20-alpine AS runtime
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
CMD ["node", "dist/index.js"]

For development with hot-reload:

FROM node:20-alpine AS deps
WORKDIR /app
COPY package.json pnpm-lock.yaml ./
RUN corepack enable && pnpm install --frozen-lockfile


FROM node:20-alpine AS dev
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
CMD ["pnpm", "dev"]
# Secrets injected at runtime, no install scripts run again

What this does not protect against

If a compromised package runs malicious code at require() time (not just during install), and that code runs inside a container with secrets, it can read them. No container setup prevents this.

Defenses: pnpm audit, --frozen-lockfile, minimal dependencies, and tools like Socket or Snyk.

Related posts