Find notable cyber news and cases, enriched with sources, timelines, and signals.

NPM Git dependency .npmrc code execution bypass security flaw

Vulnerability
First reported
Last updated
Happening score
H score 51
3 unique sources, 4 articles

Summary

Hide ▲

NPM's Git dependency install path can be bypassed by a malicious .npmrc, allowing full code execution even when --ignore-scripts=true is enabled. The flaw weakens Git repository install defenses and sits within the broader PackageGate set of JavaScript package-manager issues. GitHub's npm v12 adds a separate mitigation path by making install-time execution and non-registry sources require explicit approval, reducing abuse of preinstall/install/postinstall scripts, node-gyp builds, Git-based dependencies, and remote URL dependencies.

Related Happenings

GitHub npm version 12 hardens installs and token management

Security Tool/Service
H score11 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...

GitHub npm GAT publish-token mitigation guidance

Advisory/Mitigation
H score25 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

Npm v12 default-blocks install scripts, Git dependencies, and remote URLs

Security Tool/Service
H score11 First: 12.06.2026 16:00 Last: 12.06.2026 16:00 Sources 1

How related: NPM has announced new version (v12) of the npm package manager in a bid to prevent software supply chain attacks.

About this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...

Miasma supply-chain malware activity

Malware Activity
H score34 First: 10.06.2026 23:27 Last: 10.06.2026 23:27 Sources 1

About this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...

Timeline

  1. 26.01.2026 16:02 1 articles · 5mo ago

    Koi reports Git dependency bypass to NPM

    Initial Disclosure

    Koi Security submitted a vulnerability report to NPM’s HackerOne about a Git-dependency install bypass that affects the `--ignore-scripts` defense, and the researchers said they also reported the issues to vendors across the JavaScript package-manager ecosystem.

    Show sources
  2. 26.01.2026 16:02 2 articles · 5mo ago

    Malicious .npmrc overrides Git path during NPM installs

    Technical Analysis Update

    When NPM installs a dependency from a Git repository, a malicious `.npmrc` can override the git binary path and trigger full code execution even when `--ignore-scripts=true` is enabled; Koi said there was evidence of a proof-of-concept reverse shell abusing the technique.

    Show sources
  3. 26.01.2026 16:02 4 articles · 5mo ago

    Bun, vlt, and pnpm ship fixes and mitigations

    Mitigation Patch Update

    Bun patched the affected behavior in version 1.3.5, vlt patched within days after Koi’s disclosure, and pnpm released fixes for CVE-2025-69263 and CVE-2025-69264. The broader mitigation guidance also recommended disabling lifecycle scripts with `--ignore-scripts=true`, enabling lockfile integrity and dependency pinning, and adopting trusted publishing, granular access tokens, and enforced two-factor authentication.

    Show sources
  4. 26.01.2026 16:02 1 articles · 5mo ago

    NPM rejects the report; GitHub says it is working on the issue

    Legal Policy Action Update

    NPM closed the HackerOne report as working as expected and did not respond to follow-up attempts, while GitHub said it was working to address the issue and noted that npm was actively scanning the registry for malware.

    Show sources