diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8f68bae..f02585e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -44,6 +44,25 @@ jobs:
           packagist_github_token: ${{ secrets.PACKAGIST_GITHUB_TOKEN }}
           yoast_license_token: ${{ secrets.YOAST_LICENSE_TOKEN }}
 
+      - name: Install Socket Firewall
+        # Free edition — no token required. Installs `sfw` on PATH for this job.
+        # Placed here rather than in the setup composite because PATH additions
+        # made by Node actions inside composite actions do not reliably
+        # propagate to subsequent workflow-level steps.
+        uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
+        with:
+          mode: firewall-free
+
+      - name: Install npm packages through Socket Firewall
+        # Pre-install via `sfw` so Socket can block known-malicious packages
+        # before they hit disk. The subsequent `npm install` invoked by the
+        # composer build script becomes a no-op against this populated cache,
+        # except for any net-new packages it pulls — those are the residual
+        # gap. Per-project composer scripts can close the gap by switching
+        # their own `npm install` to `sfw npm install`.
+        if: hashFiles('package-lock.json') != ''
+        run: sfw npm ci --ignore-scripts
+
       - name: Install development packages
         run: composer install:development