---
title: GuardDog package dependency executes custom lifecycle script
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > GuardDog package dependency executes
  custom lifecycle script
---

# GuardDog package dependency executes custom lifecycle script
Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1195-supply-chain-compromise](https://attack.mitre.org/techniques/T1195) 
## Goal{% #goal %}

This rule detects [GuardDog](https://github.com/DataDog/guarddog) findings that indicate package dependencies using custom scripts that run automatically during the dependency lifecycle, most commonly at installation time.

## Strategy{% #strategy %}

This rule monitors GuardDog logs for findings associated with the following behaviors:

- Use of custom npm `preinstall`, `install`, and `postinstall` scripts.
- Use of custom PyPI Setuptools install hooks.
- Use of custom Rubygems install hooks.

Custom lifecycle scripts are a common mechanism by which malicious open source packages achieve initial code execution on victim systems. While these behaviors are not inherently malicious, dependencies that use custom lifecycle scripts warrant additional scrutiny.

## Triage and response{% #triage-and-response %}

- Review the GuardDog finding in the scan logs and inspect the source code of the custom lifecycle script.
- If the dependency is found to be malicious:
  - Immediately remove all instances from your system.
  - Rotate any affected credentials and perform an assessment of potential spread.
  - Consider reporting the malicious dependency to the package registry where it is hosted.