Home SecurityMobile Security Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud
Mobile SecuritySecurity

Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud

by admin
written by admin

Not the complete picture

He says the scripts bypass vulnerability was reported through the HackerOne bug bounty program on November 26, 2025. While other JavaScript package managers accepted the reports, npm said the platform was working as intended, and that the ‘ignore scripts’ command should prevent the running of unapproved remote code.

“We didn’t write this post to shame anyone,” Yomtov said in the blog. “We wrote it because the JavaScript ecosystem deserves better, and because security decisions should be based on accurate information, not assumptions about defenses that don’t hold up.

“The standard advice, disable scripts and commit your lockfiles, is still worth following. But it’s not the complete picture,” he said. “Until PackageGate is fully addressed, organizations need to make their own informed choices about risk.”

Source link

0 comment
0
FacebookTwitterPinterestEmail

Related Articles

Do you have an eye for software? –...

After criticism, Microsoft promises big improvements for Windows...

Forward Networks launches agentic AI system built on...

Oracle may slash up to 30,000 jobs to...

Top 11 network outages and application failures of...

NIS2: Lieferketten als Risikofaktor | CSO Online

Hugging Face infra abused to spread Android RAT...

How to print and scan with Android –...

Connecting the dots on the ‘attachment economy’

Human risk management: CISOs’ solution to the security...

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Ⓒ2025 - All Right Reserved.