Recent Exploits
Researchers documented a proof‑of‑concept reverse shell that leveraged a flaw in several JavaScript package managers. The attack demonstrated that the risk is not merely theoretical.
Affected Managers and Patches
Specific mitigations have been released:
- Bun – patched in version 1.3.5.
- vlt – patched within days of disclosure.
- pnpm – fixes issued for CVE‑2025‑69263 and CVE‑2025‑69264.
npm’s Stance
npm rejected the vulnerability report, stating that users must vet package content themselves. Follow‑up communications received no response, highlighting a gap in ecosystem stewardship.
Mitigation Recommendations
Security‑focused teams should adopt the following guardrails:
- Enforce trusted publishing workflows.
- Implement granular access tokens with mandatory two‑factor authentication.
- Regularly rotate and retire old authentication keys.
- Audit dependencies for anomalous scripts before installation.