Key Findings Security firm Koi discovered a set of vulnerabilities collectively tracked as "PackageGate" affecting major JavaScript package managers like NPM, PNPM, VLT, and Bun. These flaws could let attackers bypass supply chain protections and run malicious code hidden inside compromised dependencies. The safeguards widely promoted after the Shai-Hulud attack, such as disabling lifecycle scripts and relying on lockfiles, do not fully hold against these new "PackageGate" vu
