diff --git a/pkg/npm/npm.go b/pkg/npm/npm.go
index 1a4e73df7..8a729e69e 100644
--- a/pkg/npm/npm.go
+++ b/pkg/npm/npm.go
@@ -356,9 +356,8 @@ func (exec *Execute) checkIfLockFilesExist() (bool, bool, error) {
 // CreateBOM generates BOM file using CycloneDX from all package.json files
 func (exec *Execute) CreateBOM(packageJSONFiles []string) error {
 	execRunner := exec.Utils.GetExecRunner()
-	// Install CycloneDX Node.js module via npx without saving in package.json / polluting globals
-	// See https://github.com/CycloneDX/cyclonedx-node-npm#installation
-	err := execRunner.RunExecutable("npx", "--package", cycloneDxPackageVersion, "--call", "exit")
+	// Install CycloneDX Node.js module locally without saving in package.json
+	err := execRunner.RunExecutable("npm", "install", cycloneDxPackageVersion, "--no-save")
 	if err != nil {
 		return fmt.Errorf("failed to install CycloneDX package: %w", err)
 	}
diff --git a/pkg/npm/npm_test.go b/pkg/npm/npm_test.go
index f1b42a0f8..4decdcf2a 100644
--- a/pkg/npm/npm_test.go
+++ b/pkg/npm/npm_test.go
@@ -360,7 +360,7 @@ func TestNpm(t *testing.T) {
 
 		if assert.NoError(t, err) {
 			if assert.Equal(t, 3, len(utils.execRunner.Calls)) {
-				assert.Equal(t, mock.ExecCall{Exec: "npx", Params: []string{"--package", "@cyclonedx/cyclonedx-npm@1.11.0", "--call", "exit"}}, utils.execRunner.Calls[0])
+				assert.Equal(t, mock.ExecCall{Exec: "npm", Params: []string{"install", "@cyclonedx/cyclonedx-npm@1.11.0", "--no-save"}}, utils.execRunner.Calls[0])
 				assert.Equal(t, mock.ExecCall{Exec: "npx", Params: []string{"@cyclonedx/cyclonedx-npm@1.11.0", "--output-format",
 					"XML",
 					"--spec-version",