Supply chain, Vulnerability Management, DevOps

New PackageGate vulnerabilities circumvent Shai-Hulud defenses

(Credit: Araki Illustrations – stock.adobe.com)

Multiple JavaScript dependency management utilities, such as npm, vlt, Bun, and pnpm, have been impacted by the new PackageGate vulnerabilities, which could be leveraged to evade defense mechanisms adopted in the wake of the Shai-Hulud supply chain intrusions, BleepingComputer reports.

Installation of a Git dependency on npm allows malicious configuration files to void the git binary path, resulting in total code execution, according to an analysis from Koi Security researchers.

"We have evidence that actors published a proof-of-concept abusing this technique to create a reverse shell in the past," said researchers.

While Bun and pnpm have already addressed the flaws, npm turned down Koi Security's findings, stating that package content vetting is the responsibility of its users. GitHub, however, said that it is already moving to address the issue.

"The security of the npm ecosystem is a collective effort, and we strongly encourage projects to adopt trusted publishing and granular access tokens with enforced two-factor authentication to fortify the software supply chain," said a GitHub spokesperson.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds