Javascript developers should consider moving away from the npm and yarn platforms for distributing their work because newly-found holes allow threat actors to run malicious worm attacks like Shai-Hulud, says an Israeli researcher.
The warning comes from Oren Yomtov of Koi Security, who blogged Monday of discovering six zero day vulnerabilities in several package managers that could allow hackers bypass defenses that had been recommended last November after Shai-Hulud roamed through npm and compromised over 700 packages.
Those defenses are:
- disabling the ability to run lifecycle scripts, commands that run automatically during package installation,
- saving lockfile integrity checks (package-lock.json, pnpm-lock.yaml, and others) to version control (git). The lockfile records the exact version and integrity hash of every package in a dependency tree. On subsequent installs, the package manager checks incoming packages against these hashes, and if something doesn’t match, installation fails. If an attacker compromises a package and pushes a malicious version, the integrity check should catch the mismatch and block it from being installed.
Those recommendations “became the standard advice everywhere from GitHub security guides to corporate policy docs” after November, says Yomtov, “because if malicious code can’t run on install, and your dependency tree is pinned, you’re covered.”
November’s advice still valid, but more issues need addressing
That advice is still valid, he added in an email interview.
However, the vulnerabilities he discovered — dubbed PackageGate — that allow hackers to get around those two defenses have to be addressed by all platforms, he said.
So far, the pnpm, vlt, and Bun platforms have addressed the bypass holes, Yomtov said, but npm and yarn haven’t. He therefore recommends that JavaScript developers use pnpm, vlt or Bun.
He added that, in any case, JavaScript developers should keep whatever JavaScript package manager they use up to date to ensure they have the latest patches.
GitHub statement ‘bewildering’
Microsoft, which owns and oversees npm through GitHub, referred questions about the vulnerabilities to GitHub. It said in a statement, “We are actively working to address the new issue reported as npm actively scans for malware in the registry.” In the meantime, it urges project developers to adopt the recommendations in this blog issued after the Shai-Hulud attacks.
The statement also notes that, last September, GitHub said it is strengthening npm’s security, including making changes to authentication and token management.
GitHub also warns that that, if a package being installed through git contains a prepare script, its dependencies and devDependencies will be installed. “As we shared when the ticket was filed, this is an intentional design and works as expected. When users install a git dependency, they are trusting the entire contents of that repository, including its configuration files.”
Yomtov found this explanation of intentional design “bewildering.”
Not the complete picture
He says the scripts bypass vulnerability was reported through the HackerOne bug bounty program on November 26, 2025. While other JavaScript package managers accepted the reports, npm said the platform was working as intended, and that the ‘ignore scripts’ command should prevent the running of unapproved remote code.
“We didn’t write this post to shame anyone,” Yomtov said in the blog. “We wrote it because the JavaScript ecosystem deserves better, and because security decisions should be based on accurate information, not assumptions about defenses that don’t hold up.
“The standard advice, disable scripts and commit your lockfiles, is still worth following. But it’s not the complete picture,” he said. “Until PackageGate is fully addressed, organizations need to make their own informed choices about risk.”
This article originally appeared on InfoWorld.