Hackers can bypass npm’s Shai-Hulud defenses via Git dependencies

The defense mechanisms that NPM introduced after the ‘Shai-Hulud’ supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies.

Collectively called PackageGate, the vulnerabilities were discovered in multiple utilities in the JavaScript ecosystem that allow managing dependencies, like pnpm, vlt, Bun, and NPM.

Researchers at endpoint and supply-chain security company Koi discovered the issues and reported them to the vendors. They say that the problems were addressed in all tools except for NPM, who closed the report stating that the behavior “works as expected.”

Script execution bypass

The self-spreading Shai-Hulud supply-chain attack initially impacted npm in mid-September 2025 and compromised 187 packages. A month later, the attack returned in a new 500-package wave, which was later evaluated to have exposed 400,000 developer secrets in over 30,000 auto-generated GitHub repositories.

In response to the Shai-Hulud attacks and other supply-chain incidents such as “s1ngularity” and “GhostAction,” GitHub, the operator of NPM, announced a plan to implement additional security measures and suggested several mitigations.

Among them are recommendations to disable lifecycle scripts during installation (‘–ignore-scripts=true’) and to enable lockfile integrity and dependency pinning.

Koi security researchers found that when NPM installs a dependency from a Git repository, configuration files such as a malicious ‘.npmrc’ can override the git binary path, leading to full code execution even when the ‘—ignore-scripts’ flag is set to ‘true.’

“We have evidence that actors published a proof-of-concept abusing this technique to create a reverse shell in the past,” warned the researchers, highlighting that the problem isn’t just theoretical.

For the other JavaScript package managers, a bypass of the script execution security measure is achieved via separate mechanisms, plus for pnpm and vlt, a lockfile integrity bypass is also possible.

Bun patched the flaws impacting it in version 1.3.5, vlt patched within days after Koi reached out, and pnpm released fixes for two flaws tracked under CVE-2025-69263 and CVE-2025-69264.

NPM’s response

Koi Security filed their findings in a vulnerability report submitted to NPM’s HackerOne, as the bug bounty scope explicitly covers script execution with ‘—ignore-scripts.’

Despite that, npm rejected the report on the grounds that users are responsible for vetting the content of packages they install, and did not respond to multiple follow-up efforts made by the researchers.

BleepingComputer contacted GitHub for a statement on the matter and a spokesperson said that they are working to address the issue as npm is actively scanning the registry for malware. 

“The security of the npm ecosystem is a collective effort, and we strongly encourage projects to adopt trusted publishing and granular access tokens with enforced two-factor authentication to fortify the software supply chain,” the GitHub spokesperson told BleepingComputer.

Secrets Security Cheat Sheet: From Sprawl to Control

Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.

Get the cheat sheet and take the guesswork out of secrets management.

Download Now