Multiple JavaScript dependency management utilities, such as npm, vlt, Bun, and pnpm, have been impacted by the new PackageGate vulnerabilities, which could be leveraged to evade defense mechanisms adopted in the wake of the Shai-Hulud supply chain intrusions, BleepingComputer reports.Installation of a Git dependency on npm allows malicious configuration files to void the git binary path, resulting in total code execution, according to an analysis from Koi Security researchers."We have evidence that actors published a proof-of-concept abusing this technique to create a reverse shell in the past," said researchers.While Bun and pnpm have already addressed the flaws, npm turned down Koi Security's findings, stating that package content vetting is the responsibility of its users. GitHub, however, said that it is already moving to address the issue."The security of the npm ecosystem is a collective effort, and we strongly encourage projects to adopt trusted publishing and granular access tokens with enforced two-factor authentication to fortify the software supply chain," said a GitHub spokesperson.
Supply chain, Vulnerability Management, DevOps
New PackageGate vulnerabilities circumvent Shai-Hulud defenses

(Credit: Araki Illustrations – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



