Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

NPM Git dependency .npmrc code execution bypass security flaw

Vulnerability
First reported
Last updated
Happening score
H score 37
2 unique sources, 2 articles

Summary

Hide ▲

NPM's Git dependency install path can be bypassed by a malicious .npmrc, allowing full code execution even when --ignore-scripts=true is enabled. The flaw weakens post-Shai-Hulud supply-chain defenses for packages fetched from Git repositories. Researchers said the bypass is practical and ties into the broader PackageGate issues across JavaScript package managers, with pnpm tracking related fixes as CVE-2025-69263 and CVE-2025-69264.

Related Happenings

Packagist package.json hook supply chain attack campaign

Campaign
First: 23.05.2026 19:07 Last: 23.05.2026 19:07 Sources 1

About this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...

Open Happening

Mini Shai-Hulud supply-chain campaign targeting npm and PyPI

Campaign
First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...

Latest development: 21.05.2026 11:00

Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.

Open Happening

Rogue Checkmarx Jenkins AST plugin release on Jenkins Marketplace

Security Tool/Service
First: 12.05.2026 01:03 Last: 12.05.2026 01:03 Sources 1

About this happening: A **rogue 2026.5.09 release** of the **Checkmarx Jenkins AST plugin** was uploaded to **repo.jenkins-ci.org**, undermining trust in a security-scanning component used in **Jenkins...

Open Happening

Mini Shai-Hulud SAP-related npm supply-chain campaign

Campaign
First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...

Latest development: 12.05.2026 11:50

Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.

Open Happening

Cline hit by cyberattack

Incident
First: 20.02.2026 00:33 Last: 20.02.2026 00:33 Sources 1

About this happening: A **Cline CLI** **supply-chain incident** on **February 17, 2026** used a **compromised npm publish token** to publish **[email protected]** with a **postinstall** step that silently in...

Open Happening

Timeline

  1. 26.01.2026 16:02 1 articles · 4mo ago

    Koi reports Git dependency bypass to NPM

    Initial Disclosure

    Koi Security submitted a vulnerability report to NPM’s HackerOne about a Git-dependency install bypass that affects the `--ignore-scripts` defense, and the researchers said they also reported the issues to vendors across the JavaScript package-manager ecosystem.

    Show sources
    Open in new tab
  2. 26.01.2026 16:02 2 articles · 4mo ago

    Malicious .npmrc overrides Git path during NPM installs

    Technical Analysis Update

    When NPM installs a dependency from a Git repository, a malicious `.npmrc` can override the git binary path and trigger full code execution even when `--ignore-scripts=true` is enabled; Koi said there was evidence of a proof-of-concept reverse shell abusing the technique.

    Show sources
    Open in new tab
  3. 26.01.2026 16:02 2 articles · 4mo ago

    Bun, vlt, and pnpm ship fixes and mitigations

    Mitigation Patch Update

    Bun patched the affected behavior in version 1.3.5, vlt patched within days after Koi’s disclosure, and pnpm released fixes for CVE-2025-69263 and CVE-2025-69264. The broader mitigation guidance also recommended disabling lifecycle scripts with `--ignore-scripts=true`, enabling lockfile integrity and dependency pinning, and adopting trusted publishing, granular access tokens, and enforced two-factor authentication.

    Show sources
    Open in new tab
  4. 26.01.2026 16:02 1 articles · 4mo ago

    NPM rejects the report; GitHub says it is working on the issue

    Legal Policy Action Update

    NPM closed the HackerOne report as working as expected and did not respond to follow-up attempts, while GitHub said it was working to address the issue and noted that npm was actively scanning the registry for malware.

    Show sources
    Open in new tab