'PackageGate' Vulnerabilities Expose JavaScript Package Managers to Supply Chain Attacks

Security firm Koi uncovers 'PackageGate' vulnerabilities in JavaScript package managers, posing risks of malicious code execution.

By Content Team

Jan 27, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Security firm Koi discovered six vulnerabilities dubbed 'PackageGate' affecting major JavaScript package managers including NPM, PNPM, VLT, and Bun. These flaws can bypass existing supply chain protections, allowing attackers to execute malicious code through compromised dependencies.

The vulnerabilities work differently across managers: NPM can be exploited through malicious .npmrc files in Git dependencies, while PNPM's script protections don't cover Git processing. VLT has path traversal issues in tarball extraction, and Bun's allow lists can be spoofed.

PNPM, VLT, and Bun quickly patched their issues, but NPM dismissed the report as 'informative,' claiming the behavior works as intended. GitHub maintains that users accept repository risks when installing Git dependencies.

Source: SecurityWeek

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

New 'CrashFix' Scam Intentionally Crashes Browsers to Deliver Malware

Jan 21, 2026

Foster City Restores Phone and Email Services After Ransomware Attack

Mar 28, 2026

Critical 'MongoBleed' Bug Under Active Attack, Patch Now

Jan 6, 2026

Microsoft Patches Actively Exploited Office Zero-Day Vulnerability

Jan 27, 2026