Six zero-day bugs were discovered across four major JavaScript package managers that bypass script execution and lockfile integrity, tools security pros use to protect software code from running malicious scripts automatically.The discovery left security experts concerned that the industry faces an even more destructive supply chain attack than Shai-Hulud late last year, when more than 25,000 repos and hundreds of packages were affected. Dubbed “PackageGate” in a Jan. 26 Koi blog, the researchers said the new bypass bugs were found in npm, pnpm, vlt, and Bun.According to the Koi blog, pnpm, vlt and Bun all patched the affected flaws. However, npm — now a part of Microsoft — told the researchers that npm “works as expected.”“So here's where we are,” wrote Oren Yomtov, a security researcher at Koi. “The defenses everyone adopted after the worst npm supply chain attack in history (Shai-Hulud) have major gaps, and the biggest package manager in the ecosystem has decided those gaps aren't worth closing.”Jason Soroko, senior fellow at Sectigo, said PackageGate matters because it shifts the supply chain risk conversation from "only bad packages" to "the package managers themselves can be the bypass."Soroko said Koi's point is that two widely adopted guardrails to prevent malicious code from running automatically — disabling lifecycle scripts and relying on lockfiles with integrity hashes — were designed to stop surprise code execution and guarantee repeatable installs.“If those guardrails can be sidestepped through Git dependency handling, tar extraction, or incomplete integrity coverage for URL based tarballs, attackers could regain install-time code execution and spread at scale even in hardened environments, with risk depending on dependency patterns and whether organizations are on fixed versions,” said Soroko. “The concern is that PackageGate could enable an even worse supply chain event than Shai-Hulud because it’s not just ‘malicious packages’ but potential bypasses in the package managers and install defenses many teams adopted afterward.”Venky Raju, Field CTO at ColorTokens, explained that the central issue is the trust placed in the package maintainer’s ability to protect their publishing credentials. If attackers can access the maintainer’s system via social engineering or other techniques, Raju said they can access their publishing credentials and post a malicious version of the JavaScript package.Raju pointed out that the second issue is the trust in the execution of the package’s install scripts. While these npm lifecycle scripts are essential features, Raju said software supply chain malware has shown that they can and will be abused. Finally, Raju said there’s concern over the ability of the malicious scripts to connect to the attacker’s command-and-control (C2) servers, or harvest additional publishing credentials on a compromised developer’s system and replicate itself on to additional npm packages.“This once again highlights the need for a defense-in-depth strategy even for software supply-chain attacks,” said Raju.”Strong developer controls such as rotating tokens and protecting credentials address the root of the problem, but there’s always the possibility of a single miss that can lead to compromise.”Sectigo’s Soroko, added that the various bypasses vary by tool. Here’s how Sorko breaks it down:
- npm: The weak link is Git dependencies, where a malicious repo can influence npm's behavior through a planted .npmrc, ultimately steering execution toward attacker-supplied commands.
- pnpm: "scripts disabled by default" did not cover the separate Git dependency fetch path, so scripts can still run there, and both pnpm and vlt also had a lockfile gap where some tarball dependencies were recorded by URL without an integrity hash, enabling a "swap the tarball later" attack.
- vlt: Koi describes a tar extraction path traversal that attackers can abuse for arbitrary file writes.
- Bun: The trust allow list keyed off package names rather than the source, making spoofing practical.
