PackageGate bugs let attackers bypass protections in NPM, PNPM, VLT, and Bun

Koi researchers found “PackageGate” flaws in NPM, PNPM, VLT, and Bun that let attackers perform supply chain attacks and run malicious code.

Security firm Koi uncovered a set of vulnerabilities collectively tracked as “PackageGate” affecting major JavaScript package managers like NPM, PNPM, VLT, and Bun. These flaws could let attackers bypass supply chain protections and run malicious code hidden inside compromised dependencies.

After the Shai-Hulud attack compromised hundreds of npm packages, the JavaScript ecosystem adopted a simple defense playbook: disable lifecycle scripts and rely on lockfiles. The idea was clear, if install scripts cannot run and dependencies stay pinned, supply chain attacks should fail.

Researchers tested the most popular package managers and found six zero-day flaws in npm, pnpm, vlt, and Bun that bypass both script blocking and lockfile integrity. pnpm, vlt, and Bun fixed the issues, but npm dismissed them as expected behavior.

The safeguards widely promoted after the largest npm supply chain incident do not fully hold. Organizations that trust --ignore-scripts and lockfiles as their main line of defense may still face hidden risk. These weaknesses, now called “PackageGate,” show that disabling scripts and pinning versions alone cannot guarantee safety in today’s JavaScript supply chain.

Researchers tested how package managers enforce script blocking and lockfile safety and found serious gaps. In npm, a malicious git dependency can ship a fake .npmrc that replaces the git binary with attacker code, leading to full remote code execution even with --ignore-scripts enabled.

“An attacker creates a git dependency containing a malicious .npmrc that points git=./malicious-script.sh, plus a nested git dependency. When npm processes that nested dependency, it runs the attacker’s script instead of git. Full RCE, even with --ignore-scripts enabled.” reads the report published by Koi. “We have evidence that actors published a proof-of-concept abusing this technique to create a reverse shell in the past.”

pnpm disables scripts by default, but it still runs prepare scripts during git fetches, so attacker code runs silently. vlt allows path traversal in tarballs, letting attackers overwrite files like the git binary and execute code later.

Bun trusts package names instead of sources, so attackers reuse trusted names to run scripts. Lockfiles also fail: pnpm and vlt accept remote tarballs without integrity hashes, letting attackers change code after review.

“An attacker who gets a package into your dependency tree (even several layers deep) can serve targeted payloads based on timing, IP address, or whatever other signals they want. Your lockfile provides no protection.” continues the report. “We’ve already seen this in the wild. PhantomRaven, a campaign we detected in October, used RDD to hide malicious code from every security scanner on npm, gaining over 86,000 downloads.”

The researchers reported PackageGate flaws to all major package managers. npm closed the report, claiming users must vet packages themselves, despite its bug bounty listing this issue as in scope. Repeated requests got no response. pnpm, vlt, and Bun quickly fixed the bugs within weeks. With npm refusing to act, the team chose public disclosure so users could assess the risk. They recommend committing lockfiles, disabling scripts, keeping tools updated, and considering safer alternatives like pnpm or vlt.

“The standard advice, disable scripts and commit your lockfiles, is still worth following. But it’s not the complete picture. Until PackageGate is fully addressed, organizations need to make their own informed choices about risk.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PackageGate)