Cyber Security News

‘PackageGate’ Flaws Open JavaScript Ecosystem to Supply Chain Attacks

CybersecurityNews
‘PackageGate’ Flaws Open JavaScript Ecosystem to Supply Chain Attacks

Koi disclosed six “PackageGate” vulnerabilities in NPM, PNPM, VLT, and Bun that can bypass supply-chain protections and enable remote code execution via malicious dependencies. PNPM, VLT, and Bun have issued fixes while NPM/GitHub considers some behavior intentional, even as Koi warns threat actors are discussing PoC abuse of malicious .npmrc files. #PackageGate #NPM

Keypoints

  • Koi found six vulnerabilities across NPM, PNPM, VLT, and Bun that can bypass install-time protections and lead to remote code execution.
  • Exploitation methods vary: malicious .npmrc in Git deps for NPM, Git dependency script processing in PNPM, tarball path traversal in VLT, and source spoofing in Bun.
  • PNPM and VLT only recorded tarball URLs (not integrity hashes), allowing a tarball to be modified after initial checks and serve malicious payloads on reinstall.
  • PNPM, VLT, and Bun patched the issues quickly; PNPM fixes are tracked as CVE-2025-69263 and CVE-2025-69264.
  • GitHub/NPM emphasize that installing Git dependencies trusts repository contents and recommend stronger publishing practices, while Koi warns active PoC discussion by attackers.

Read More: https://www.securityweek.com/packagegate-flaws-open-javascript-ecosystem-to-supply-chain-attacks/