Koi identifies six zero-day vulnerabilities in JavaScript package managers (npm, pnpm, vlt, and Bun) regarding defenses against the Shai-Hulud attack. While npm declined to address vulnerabilities, pnpm, vlt, and Bun acted swiftly. These flaws allow attackers to bypass script execution prevention and lockfile integrity checks, undermining the security claims of the tools. Koi stresses that the ecosystem requires better security and urges organizations to be vigilant, use lockfiles, disable scripts, and consider using more secure package managers.
https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act

