The defense mechanisms that NPM introduced after the 'Shai-Hulud' supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies.
Collectively called PackageGate, the vulnerabilities were discovered in multiple utilities in the JavaScript ecosystem that allow managing dependencies, like pnpm, vlt, Bun, and NPM.
Researchers at endpoint and supply-chain security company Koi discovered the issues and reported them to the vendors. They say that the problems were addressed in all tools except for NPM, who closed the report stating that the behavior "works as expected."
Script execution bypass
The self-spreading Shai-Hulud supply-chain attack initially impacted npm in mid-September 2025 and compromised 187 packages. A month later, the attack returned in a new 500-package wave, which was later evaluated to have exposed 400,000 developer secrets in over 30,000 auto-generated GitHub repositories.
In response to the Shai-Hulud attacks and other supply-chain incidents such as "s1ngularity" and "GhostAction," GitHub, the operator of NPM, announced a plan to implement additional security measures and suggested several mitigations.
Among them are recommendations to disable lifecycle scripts during installation (‘--ignore-scripts=true’) and to enable lockfile integrity and dependency pinning.
Koi security researchers found that when NPM installs a dependency from a Git repository, configuration files such as a malicious ‘.npmrc’ can override the git binary path, leading to full code execution even when the ‘—ignore-scripts’ flag is set to ‘true.’
"We have evidence that actors published a proof-of-concept abusing this technique to create a reverse shell in the past," warned the researchers, highlighting that the problem isn't just theoretical.
For the other JavaScript package managers, a bypass of the script execution security measure is achieved via separate mechanisms, plus for pnpm and vlt, a lockfile integrity bypass is also possible.
... continue reading