PackageGate bugs let attackers bypass protections in NPM, PNPM, VLT, and Bun

2026-01-28

Koi researchers found “PackageGate” flaws in NPM, PNPM, VLT, and Bun that let attackers perform supply chain attacks and run malicious code. Security firm Koi uncovered a set of vulnerabilities collectively tracked as “PackageGate” affecting major JavaScript package managers like NPM, PNPM, VLT, and Bun. These flaws could let attackers bypass supply chain protections and […]

Security firm Koi uncovered a set of vulnerabilities collectively tracked as “PackageGate” affecting major JavaScript package managers like NPM, PNPM, VLT, and Bun. These flaws could let attackers bypass supply chain protections and run malicious code hidden inside compromised dependencies.

After the Shai-Hulud attack compromised hundreds of npm packages, the JavaScript ecosystem adopted a simple defense playbook: disable lifecycle scripts and rely on lockfiles. The idea was clear, if install scripts cannot run and dependencies stay pinned, supply chain attacks should fail.

Source: https://securityaffairs.com/187416/hacking/packagegate-bugs-let-attackers-bypass-protections-in-npm-pnpm-vlt-and-bun.html