{"id":229861,"date":"2026-01-27T02:20:44","date_gmt":"2026-01-27T08:20:44","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/01\/hackers-can-bypass-npms-shai-hulud-defenses-via-git-dependencies"},"modified":"2026-01-27T02:20:44","modified_gmt":"2026-01-27T08:20:44","slug":"hackers-can-bypass-npms-shai-hulud-defenses-via-git-dependencies","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/01\/hackers-can-bypass-npms-shai-hulud-defenses-via-git-dependencies","title":{"rendered":"Hackers can bypass npm\u2019s Shai-Hulud defenses via Git dependencies"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/hackers-can-bypass-npms-shai-hulud-defenses-via-git-dependencies.jpg\"><\/a><\/p>\n<p>The defense mechanisms that NPM introduced after the \u2018Shai-Hulud\u2019 supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies.<\/p>\n<p>Collectively called PackageGate, the vulnerabilities were discovered in multiple utilities in the JavaScript ecosystem that allow managing dependencies, like pnpm, vlt, Bun, and NPM.<\/p>\n<p>Researchers at endpoint and supply-chain security company Koi discovered the issues and reported them to the vendors. They say that the problems were addressed in all tools except for NPM, who closed the report stating that the behavior \u201cworks as expected.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The defense mechanisms that NPM introduced after the \u2018Shai-Hulud\u2019 supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies. Collectively called PackageGate, the vulnerabilities were discovered in multiple utilities in the JavaScript ecosystem that allow managing dependencies, like pnpm, vlt, Bun, and NPM. Researchers at endpoint and supply-chain security company Koi [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1492],"tags":[],"class_list":["post-229861","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/229861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=229861"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/229861\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=229861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=229861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=229861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}