Vulnerabilities in PackageGate Allow Bypassing Protections in NPM, PNPM, VLT, and Bun

Key Findings

Security firm Koi discovered a set of vulnerabilities collectively tracked as "PackageGate" affecting major JavaScript package managers like NPM, PNPM, VLT, and Bun.
These flaws could let attackers bypass supply chain protections and run malicious code hidden inside compromised dependencies.
The safeguards widely promoted after the Shai-Hulud attack, such as disabling lifecycle scripts and relying on lockfiles, do not fully hold against these new "PackageGate" vulnerabilities.

After the Shai-Hulud attack compromised hundreds of npm packages, the JavaScript ecosystem adopted a simple defense playbook: disable lifecycle scripts and rely on lockfiles.
The idea was that if install scripts cannot run and dependencies stay pinned, supply chain attacks should fail.

Researchers tested the most popular package managers and found six zero-day flaws in npm, pnpm, vlt, and Bun that bypass both script blocking and lockfile integrity.
In npm, a malicious git dependency can ship a fake .npmrc that replaces the git binary with attacker code, leading to full remote code execution even with --ignore-scripts enabled.
pnpm disables scripts by default, but it still runs prepare scripts during git fetches, allowing attacker code to run silently.
vlt allows path traversal in tarballs, letting attackers overwrite files like the git binary and execute code later.
Bun trusts package names instead of sources, so attackers can reuse trusted names to run scripts.
Lockfiles also fail, as pnpm and vlt accept remote tarballs without integrity hashes, letting attackers change code after review.

The researchers reported PackageGate flaws to all major package managers.
npm closed the report, claiming users must vet packages themselves, despite its bug bounty listing this issue as in scope.
pnpm, vlt, and Bun quickly fixed the bugs within weeks.
With npm refusing to act, the team chose public disclosure so users could assess the risk.

The researchers recommend committing lockfiles, disabling scripts, keeping tools updated, and considering safer alternatives like pnpm or vlt.
They also state that the standard advice, disable scripts and commit your lockfiles, is still worth following, but it's not the complete picture. Until PackageGate is fully addressed, organizations need to make their own informed choices about risk.

https://securityaffairs.com/187416/hacking/packagegate-bugs-let-attackers-bypass-protections-in-npm-pnpm-vlt-and-bun.html
https://x.com/securityaffairs/status/2016432368337268856
https://x.com/shah_sheikh/status/2016440258100158876