{"id":206950,"date":"2026-01-26T20:51:00","date_gmt":"2026-01-27T01:51:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/01\/26\/unplugged-holes-in-the-npm-and-yarn-package-managers-could-let-attackers-bypass-defenses-against-shai-hulud\/"},"modified":"2026-01-27T08:05:13","modified_gmt":"2026-01-27T13:05:13","slug":"unplugged-holes-in-the-npm-and-yarn-package-managers-could-let-attackers-bypass-defenses-against-shai-hulud","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/01\/26\/unplugged-holes-in-the-npm-and-yarn-package-managers-could-let-attackers-bypass-defenses-against-shai-hulud\/","title":{"rendered":"Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud"},"content":{"rendered":"<p><a href=\"https:\/\/www.csoonline.com\/article\/4122436\/unplugged-holes-in-the-npm-and-yarn-package-managers-could-let-attackers-bypass-defenses-against-shai-hulud-2.html\">Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4122436\/unplugged-holes-in-the-npm-and-yarn-package-managers-could-let-attackers-bypass-defenses-against-shai-hulud-2.html\">https:\/\/www.csoonline.com\/article\/4122436\/unplugged-holes-in-the-npm-and-yarn-package-managers-could-let-attackers-bypass-defenses-against-shai-hulud-2.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-01-26 20:51:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.csoonline.com\">www.csoonline.com<\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"not-the-complete-picture\">Not the complete picture<\/h2>\n<p>He says the scripts bypass vulnerability was reported through the HackerOne bug bounty program on November 26, 2025. While other JavaScript package managers accepted the reports, npm said the platform was working as intended, and that the \u2018ignore scripts\u2019 command should prevent the running of unapproved remote code.<\/p>\n<p>\u201cWe didn\u2019t write this post to shame anyone,\u201d Yomtov said in the blog. \u201cWe wrote it because the JavaScript ecosystem deserves better, and because security decisions should be based on accurate information, not assumptions about defenses that don\u2019t hold up.<\/p>\n<p>\u201cThe standard advice, disable scripts and commit your lockfiles, is still worth following. But it\u2019s not the complete picture,\u201d he said. \u201cUntil PackageGate is fully addressed, organizations need to make their own informed choices about risk.\u201d<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4122436\/unplugged-holes-in-the-npm-and-yarn-package-managers-could-let-attackers-bypass-defenses-against-shai-hulud-2.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against&#8230;<\/p>\n","protected":false},"author":1,"featured_media":206951,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.csoonline.com\/wp-content\/uploads\/2026\/01\/4122436-0-85183800-1769479337-shutterstock_177668495.jpg?quality=50&strip=all&w=1024","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[27],"class_list":["post-206950","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/206950"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=206950"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/206950\/revisions"}],"predecessor-version":[{"id":206952,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/206950\/revisions\/206952"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/206951"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=206950"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=206950"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=206950"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}