Hackers Can Bypass NPM's Shai-Hulud Supply-Chain Defenses Using Git Dependencies

The defense mechanisms introduced by NPM following the "Shai-Hulud" supply-chain attacks have weaknesses that allow malicious actors to bypass them via Git dependencies. Researchers have discovered that packages using Git dependencies can evade the implemented security checks. This vulnerability potentially enables the execution of malicious code during package installation, thereby compromising the software supply chain. NPM has been informed of these flaws, which affect the protections intended to prevent attacks similar to Shai-Hulud.