diff --git a/README.md b/README.md
index 9ebab49eb..c6aafda82 100644
--- a/README.md
+++ b/README.md
@@ -57,9 +57,11 @@ For license history, see [LICENSING.md](LICENSING.md).
 2. **Install dependencies**
 
    ```bash
-   npm i
+   npm run inst
    ```
 
+   Do NOT use `npm install` nor `npm i` but instead use our `npm run inst`. It runs the safer `npm ci --ignore-scripts` to install dependencies exactly according to the versions in `package-lock.json` and doesn't run scripts. This can prevent being hit by a supply chain attack.
+
 ## 🎮 Running the Game
 
 ### Development Mode
diff --git a/package.json b/package.json
index 9e93c8b16..a77ec1133 100644
--- a/package.json
+++ b/package.json
@@ -18,7 +18,8 @@
     "lint": "eslint",
     "lint:fix": "eslint --fix",
     "prepare": "husky",
-    "gen-maps": "cd map-generator && go run . && npm run format"
+    "gen-maps": "cd map-generator && go run . && npm run format",
+    "inst": "npm ci --ignore-scripts"
   },
   "lint-staged": {
     "**/*": [