https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act
Defence mechanisms that npm introduced following the Shai-Hulud supply-chain attacks contain critical weaknesses allowing threat actors to bypass protections through Git dependencies, according to research from endpoint security company Koi. The vulnerabilities, collectively termed PackageGate, affect multiple JavaScript ecosystem dependency management utilities including pnpm, vlt, Bun, and npm itself. Koi researchers discovered that when npm installs a dependency from a Git repository, malicious configuration files such as a crafted ‘.npmrc’ can override the git binary path to achieve full code execution even when the security flag ‘–ignore-scripts’ is explicitly set to true. The researchers provided evidence that attackers have already published proof-of-concept exploits abusing this technique to create reverse shells, demonstrating the vulnerability represents an active threat rather than theoretical risk.
The original Shai-Hulud supply-chain attack compromised 187 packages in mid-September 2025 before returning in a larger 500-package wave that exposed 400,000 developer secrets across over 30,000 auto-generated GitHub repositories. Following these incidents and related attacks including “s1ngularity” and “GhostAction,” GitHub implemented additional security measures and recommended mitigations such as disabling lifecycle scripts during installation and enabling lockfile integrity with dependency pinning. However, Koi’s findings reveal these protections can be circumvented through separate mechanisms in different package managers, with pnpm and vlt also vulnerable to lockfile integrity bypasses alongside script execution flaws.
Bun patched the vulnerabilities in version 1.3.5, vlt issued fixes within days of disclosure, and pnpm released patches for two flaws tracked as CVE-2025-69263 and CVE-2025-69264. Despite Koi submitting their findings through npm’s HackerOne bug bounty program whose scope explicitly covers script execution bypass issues, npm rejected the report claiming users bear responsibility for vetting package content and that the behavior works as expected. GitHub later said that they are working to address the issue through active registry malware scanning and encouraged projects to adopt trusted publishing with granular access tokens and enforced two-factor authentication, emphasising that securing the npm ecosystem requires collective effort across the software supply chain.