Half a dozen vulnerabilities in the JavaScript ecosystem’s leading package managers — including NPM, PNPM, VLT, and Bun — could be exploited to bypass supply chain attack protections, according to security firm Koi.
Collectively referred to as PackageGate, the security defects could lead to the execution of malicious code hidden within attacker-controlled dependencies.
Following high-profile NPM supply chain attacks such as Shai-Hulud and PhantomRaven, organizations and developers alike broadly adopted two defense mechanisms to prevent the automatic execution of code during package installation and to ensure the integrity of packages.
The first mechanism, Koi explains, involves setting a flag that would ignore the execution of preinstall, install, and postinstall scripts when running a package.
The second relies on recording the version of each package in a tree, along with integrity hashes, and on checking all packages against these hashes on subsequent installs.
According to Koi, the six PackageGate vulnerabilities impacting the four package managers could bypass these protections, leading to full remote code execution (RCE). For each manager, however, the technique differs.
In NPM, a Git dependency with a malicious .npmrc file could be used for RCE. In PNPM, the protection that disabled scripts by default only applied to the build phase, but not to Git dependency processing.
In VLT, a path traversal in the tarball extraction operation that could lead to arbitrary file writes on the system, while Bun’s script execution allow list only applied to package names, but not their sources, allowing attackers to spoof packages for RCE.
Furthermore, Koi discovered that PNPM and VLT only stored the URL for tarball dependencies, but not their integrity hashes. Thus, a tarball that passed security checks during initial installation could be modified to serve malicious code on subsequent installs.
“An attacker who gets a package into your dependency tree (even several layers deep) can serve targeted payloads based on timing, IP address, or whatever other signals they want,” Koi notes.
The security firm reported the vulnerabilities to all four package managers. PNPM, VLT, and Bun resolved them within weeks. The PNPM bugs are tracked as CVE-2025-69263 and CVE-2025-69264.
According to Koi, NPM closed their report as ‘informative’, noting that the supposedly vulnerable feature works as intended. Koi says the risk associated with the security issue is real, and that threat actors have been seen discussing proof-of-concept (PoC) code abusing malicious .npmrc files.
Responding to a SecurityWeek inquiry, NPM parent company GitHub pointed out that the installation of dependencies for packages installed via Git is intended design and that users are trusting the entire contents of the repository when installing a Git dependency.
“We are actively working to address the new issue reported as NPM actively scans for malware in the registry. The security of the NPM ecosystem is a collective effort, and we strongly encourage projects to adopt trusted publishing and granular access tokens with enforced two-factor authentication to fortify the software supply chain. GitHub continues to invest in strengthening NPM’s security, recently implementing changes to authentication and token management,” GitHub said.
*Updated with statement from GitHub.
Related: GitHub Boosting Security in Response to NPM Supply Chain Attacks
Related: Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist
Related: Infostealer Malware Delivered in EmEditor Supply Chain Attack
Related: Supply Chain Attack Targets VS Code Extensions With ‘GlassWorm’ Malware
