"In NPM, a Git dependency with a malicious .npmrc file could be used for RCE. In PNPM, the protection that disabled scripts by default only applied to the build phase, but not to Git dependency processing. In VLT, a path traversal in the tarball extraction operation that could lead to arbitrary file writes on the system, while Bun's script execution allow list only applied to package names, but not their sources, allowing attackers to spoof packages for RCE."
"Following high-profile NPM supply chain attacks such as Shai-Hulud and PhantomRaven, organizations and developers alike broadly adopted two defense mechanisms to prevent the automatic execution of code during package installation and to ensure the integrity of packages. The first mechanism, Koi explains, involves setting a flag that would ignore the execution of preinstall, install, and postinstall scripts when running a package. The second relies on recording the version of each package in a tree, along with integrity hashes, and on checking all packages against these hashes on subsequent installs."
Six vulnerabilities in leading JavaScript package managers—NPM, PNPM, VLT, and Bun—can bypass supply chain protections and enable execution of malicious code from attacker-controlled dependencies. Two common defenses are disabling preinstall/install/postinstall scripts during installation and recording package versions with integrity hashes for verification on reinstall. The vulnerabilities exploit different behaviors: a malicious .npmrc in a Git dependency for NPM; PNPM's script disabling applying only to build phases and not Git dependency processing; a path traversal in VLT's tarball extraction allowing arbitrary file writes; and Bun's allow list validating package names but not sources, enabling package spoofing. PNPM and VLT also omit tarball integrity hashes, permitting tampered tarballs on subsequent installs.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]