{"id":15548,"date":"2026-01-27T01:51:47","date_gmt":"2026-01-27T01:51:47","guid":{"rendered":"https:\/\/newestek.com\/?p=15548"},"modified":"2026-01-27T01:51:47","modified_gmt":"2026-01-27T01:51:47","slug":"unplugged-holes-in-the-npm-and-yarn-package-managers-could-let-attackers-bypass-defenses-against-shai-hulud","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15548","title":{"rendered":"Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Javascript developers should consider moving away from the npm and yarn platforms for distributing their work because newly-found holes allow threat actors to run malicious worm attacks like Shai-Hulud, says an Israeli researcher.<\/p>\n<p>The warning comes from <a href=\"https:\/\/il.linkedin.com\/in\/orenyomtov\" target=\"_blank\" rel=\"noreferrer noopener\">Oren Yomtov<\/a> of Koi Security, <a href=\"https:\/\/www.koi.ai\/blog\/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act\" target=\"_blank\" rel=\"noreferrer noopener\">who blogged Monday of discovering<\/a> six zero day vulnerabilities in several package managers that could allow hackers bypass defenses that had been recommended last November after Shai-Hulud roamed through npm and compromised over 700 packages.<\/p>\n<p>Those defenses are:<\/p>\n<ul class=\"wp-block-list\">\n<li>disabling the ability to run lifecycle scripts, commands that run automatically during package installation,<\/li>\n<li>saving lockfile integrity checks (package-lock.json, pnpm-lock.yaml, and others) to version control (git). The lockfile records the exact version and integrity hash of every package in a dependency tree. On subsequent installs, the package manager checks incoming packages against these hashes, and if something doesn\u2019t match, installation fails. If an attacker compromises a package and pushes a malicious version, the integrity check should catch the mismatch and block it from being installed.<\/li>\n<\/ul>\n<p>Those recommendations \u201cbecame the standard advice everywhere from GitHub security guides to corporate policy docs\u201d after November, says Yomtov, \u201cbecause if malicious code can\u2019t run on install, and your dependency tree is pinned, you\u2019re covered.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"novembers-advice-still-valid-but-more-issues-need-addressing\">November\u2019s advice still valid, but more issues need addressing<\/h2>\n<p>That advice is still valid, he added in an email interview.<\/p>\n<p>However, the vulnerabilities he discovered \u2014 dubbed PackageGate \u2014 that allow hackers to get around those two defenses have to be addressed by all platforms, he said.<\/p>\n<p>So far, the pnpm, vlt, and Bun platforms have addressed the bypass holes, Yomtov said, but npm and yarn haven\u2019t. He therefore recommends that JavaScript developers use pnpm, vlt or Bun.<\/p>\n<p>He added that, in any case, JavaScript developers should keep whatever JavaScript package manager they use up to date to ensure they have the latest patches.<\/p>\n<h2 class=\"wp-block-heading\" id=\"github-statement-bewildering\">GitHub statement \u2018bewildering\u2019<\/h2>\n<p>Microsoft, which owns and oversees npm through GitHub, referred\u00a0questions about the vulnerabilities to GitHub. It said in a statement, \u201cWe are actively working to address the new issue reported as npm actively scans for malware in the registry.\u201d In the meantime, it urges project developers to adopt <a href=\"https:\/\/github.blog\/security\/supply-chain-security\/strengthening-supply-chain-security-preparing-for-the-next-malware-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\">the recommendations in this blog<\/a> issued after the Shai-Hulud attacks.<\/p>\n<p>The statement also notes that, last September, <a href=\"https:\/\/github.blog\/security\/supply-chain-security\/our-plan-for-a-more-secure-npm-supply-chain\/\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub said it is strengthening npm\u2019s security<\/a>, including making changes to authentication and token management.<\/p>\n<p>GitHub also warns that that, if a package being installed through git contains a prepare script, its dependencies and devDependencies will be installed. \u201cAs we shared when the ticket was filed, this is an intentional design and works as expected. When users install a git dependency, they are trusting the entire contents of that repository, including its configuration files.\u201d<\/p>\n<p>Yomtov found this explanation of intentional design \u201cbewildering.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"not-the-complete-picture\">Not the complete picture<\/h2>\n<p>He says the scripts bypass vulnerability was reported through the HackerOne bug bounty program on November 26, 2025. While other JavaScript package managers accepted the reports, npm said the platform was working as intended, and that the \u2018ignore scripts\u2019 command should prevent the running of unapproved remote code.<\/p>\n<p>\u201cWe didn\u2019t write this post to shame anyone,\u201d Yomtov said in the blog. \u201cWe wrote it because the JavaScript ecosystem deserves better, and because security decisions should be based on accurate information, not assumptions about defenses that don\u2019t hold up.<\/p>\n<p>\u201cThe standard advice, disable scripts and commit your lockfiles, is still worth following. But it\u2019s not the complete picture,\u201d he said. \u201cUntil PackageGate is fully addressed, organizations need to make their own informed choices about risk.\u201d<\/p>\n<p><em>This article originally appeared on <a href=\"https:\/\/www.infoworld.com\/article\/4122299\/unplugged-holes-in-the-npm-and-yarn-package-managers-could-let-attackers-bypass-defenses-against-shai-hulud.html\" target=\"_blank\">InfoWorld<\/a>.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Javascript developers should consider moving away from the npm and yarn platforms for distributing their work because newly-found holes allow threat actors to run malicious worm attacks like Shai-Hulud, says an Israeli researcher. The warning comes from Oren Yomtov of Koi Security, who blogged Monday of discovering six zero day vulnerabilities in several package managers that could allow hackers bypass defenses that had been recommended&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15548\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15548","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15548","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15548"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15548\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15548"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}