BLUF

 Multiple JavaScript package managers (NPM, PNPM, VLT, Bun) were found to have vulnerabilities allowing attackers to bypass protections against malicious dependencies, potentially leading to widespread remote code execution (RCE) in development environments.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by malicious JavaScript package supply-chain compromises impacting development pipelines and cloud credentials:

·       Low-end total cost: $2.5M – $4.5M

o   (Limited spread, rapid detection, minimal downstream credential misuse)

·       Typical expected range: $5.0M – $10.0M

o   (Multiple teams affected, credential rotation, delayed releases)

·       Upper-bound realistic scenarios: $10.0M – $18.0M

o   (Broad CI/CD impact, cloud access abuse, regulatory involvement)

Key Cost Drivers

·       Number of developer endpoints and CI/CD pipelines requiring rebuild

·       Scope of exposed credentials across cloud and third-party services

·       Duration of build freezes and release delays

·       Regulatory notification requirements triggered by secondary exposure

·       Cyber insurance exclusions related to supply-chain compromise

Targeted Sectors

·       Software Development

·       IT Services

·       Web Applications.

Countries Targeted

·       Global

Date of First Reported Activity

·       Reported Jan 27, 2026.

Date of Last Reported Activity Update

·       January 27, 2026

APT Names

·       Silk Typhoon

·       APT34

Criminal Organizations

·       Wizard Spider

·       UNC3379

IOCs

As a reminder, detection should focus on the heuristic behavior of the attacks. Indicators such as hashes, domains, and similar artifacts can be useful for identifying historical activity; however, attackers are highly dynamic. These indicators often vary by target and attack, and can even change within the same attack.

Malicious npm Package Versions

Attackers injected malicious code into legitimate, popular packages via compromised maintainer accounts. The specific compromised package versions include:

·       chalk@5.0.0-2

·       debug@4.3.5

·       debug@4.3.5-rc.0

·       ansi-styles@4.3.1-rc.1

·       ansi-styles@4.3.1-rc.2

·       babel-code-frame@7.23.11-rc.0

·       browserslist@4.23.0-rc.0

·       caniuse-lite@1.0.30001637-rc.0

·       css-loader@6.11.0-rc.0

·       electron-to-chromium@1.4.763-rc.0

·       escalade@3.1.2-rc.0

·       find-cache-dir@4.0.0-rc.0

·       find-up@5.0.0-rc.0

·       glob-parent@6.0.2-rc.0

·       graceful-fs@4.2.12-rc.0

·       loader-utils@2.0.4-rc.0

·       p-limit@3.1.0-rc.0

·       p-locate@5.0.0-rc.0

·       schema-utils@4.0.1-rc.0

·       source-map@0.7.4-rc.0

·       terser-webpack-plugin@5.3.11-rc.0

·       webpack@5.91.0-rc.0

Network Indicators

·       Phishing Domain

o   Attackers used the domain support@npmjs.help in phishing emails to steal maintainer credentials.

·       Malicious Traffic

o   The malware engaged in unusual outbound network traffic and DNS requests as it scanned for and exfiltrated sensitive credentials like GitHub Personal Access Tokens (PATs) and AWS/GCP/Azure API keys to command-and-control (C&C) servers.

System Indicators

·       Malicious Payload

o   The malicious code, often within a bundle.js file, hooked into browser APIs like window.ethereum and XML HTTP requests to replace cryptocurrency wallet addresses with attacker-controlled ones.

·       File Changes: Suspicious changes to registry or system files can be an indicator, as the malware attempted to establish persistence and scan the environment.

Tools Used

·       Maliciously crafted package managers (PNPM, VLT, Bun)

·       Package manager CLI.

CVE-2025-69263

CVSS 3.1

·       (8.8) AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Nessus ID

·       There is no Tenable plugin for CVE-2025-69263

Is CVE-22025-69263 in the CISA KEV catalog?

·       No

What is the CISA patch by date

·       Not applicable

URL Link to patch information

·       hxxps://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85

CVE-2025-69264

(PNPM bugs)

CVSS 3.1

·       (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nessus ID

·       There is no Tenable plugin for CVE-2025-69263

Is CVE-22025-69264 in the CISA KEV catalog?

·       No

What is the CISA patch by date

·       Not applicable

URL Link to patch information

·       hxxps://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5

Mitigation

·       Check for malicious .npmrc.

Malware Names

·       There have been

TTPs

Initial Access

·       T1566.002 Phishing Spearphishing Link

o   Attackers used a sophisticated phishing campaign, often using domains like npmjs.help, to trick maintainers into revealing credentials or bypassing 2FA.

·       T1195.001 Supply Chain Compromise

o   Compromise Software Dependencies and Development Tools: Malicious code was injected directly into popular npm packages, exploiting the trust developers place in these registries.

Execution

·       T1059.007 Command and Scripting Interpreter JavaScript

o   The primary payload consisted of malicious JavaScript injected into standard bundle files to execute within the context of the victim's application or browser.

·       T1204.002 User Execution: Malicious File

o   The attack was triggered when developers or CI/CD pipelines automatically downloaded and "executed" the malicious package updates.

Persistence

·       T1547 Boot or Logon Autostart Execution

o   Some variants used automated package publishing to ensure the malware persisted through updated versions and continued spreading across build pipelines.

Credential Access

·       T1555.003 Credentials from Web Browsers

o   The malware was designed to harvest developer tokens, API keys, and credentials stored in web browsers.

·       T1056.001 Input Capture: Keylogging

o   Specific "crypto-clippers" intercepted clipboard data to swap wallet addresses when users copied and pasted them.

Impact

·       T1496 Resource Hijacking

o   The ultimate goal for many of these compromises was the theft of cryptocurrency by hijacking transactions and redirecting funds to attacker-controlled wallets.

Suggested rules / potential hunts

Suricata

Monitor for traffic to Git providers (GitHub, GitLab) initiated by package manager user-agents that include URLs often used for bypass.

Example Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible PackageGate Git Dependency Fetch"; http.user_agent; content:"npm/"; http.uri; content:".git"; sid:1000001; rev:1;)

Block or alert on outbound connections to known exfiltration sites like webhook.site often used by malicious postinstall scripts.

Example Rule: alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"Suspicious Outbound Exfiltration (webhook.site)"; tls.sni; content:"webhook.site"; sid:1000002; rev:1;)

SentinelOne
Detect unusual child processes (like curl or bash) launched by package managers that aren't typical build or test commands.

ParentProcessName IN: ("npm.exe", "node.exe", "yarn.exe", "npm", "node", "yarn")

AND ProcessName IN: ("curl.exe", "wget.exe", "powershell.exe", "cmd.exe", "sh", "bash")

AND NOT (CommandLine CONTAINS "build" OR CommandLine CONTAINS "test")

Identify node processes reading sensitive configuration files where credentials and API keys are stored.

.aws/credentials, or .ssh/id_rsa.

ProcessName IN: ("node.exe", "node")

AND FilePath MATCHES:anycase(".*\\.npmrc", ".*\\.aws\\\\credentials", ".*\\.ssh\\\\id_.*", ".*\\.env")

AND EventType = "File Read"

Detect node processes communicating with external hosting services during a package installation or runtime.

ProcessName IN: ("node.exe", "node")

AND NetUrl IN: ("pastebin.com", "transfer.sh", "raw.githubusercontent.com", "ipfs.io")

Splunk

Use Splunk to correlate package manager logs with endpoint and network activity to find "PackageGate" bypasses.

Identify when npm or node connects to unusual external IP addresses rather than standard registries.

index=sysmon EventCode=3 (Image="*npm*" OR Image="*node*")

| search NOT (DestinationHostname="*.npmjs.org" OR DestinationHostname="*.github.com

")

| stats count by DestinationHostname, Image

The PackageGate bypass specifically uses prepare scripts in Git dependencies. Hunt for logs indicating these scripts ran when they should have been suppressed.

index=security (process_name="npm" OR process_name="pnpm")

| search command_line="*--ignore-scripts*"

| join type=inner parent_process_id [ search index=security process_name="sh" OR process_name="cmd" ]

| table _time, host, command_line

Delivery Method

·       Inclusion of malicious package updates in public registries (NPM/PNPM)

References

NVD

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2025-69263

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2025-69264

Security Tracker Debian Org

·       hxxps://security-tracker.debian.org/tracker/CVE-2025-69263

·       hxxps://security-tracker.debian.org/tracker/CVE-2025-69264

GitHub

·       hxxps://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85

·       hxxps://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5