pnpm Package-Manager Supply-Chain Advisory Batch
ConfirmedDiscovered Jun 27, 2026
pnpm disclosed a cluster of package-manager vulnerabilities affecting lockfile integrity, Git dependency fetching, repository registry configuration, patch application, and symlink creation; responders should inventory vulnerable pnpm versions and review credential-bearing install paths.
2
Affected Packages
18
Observables
6
Sources
Timeline
| Date | Event | Description | Source |
|---|---|---|---|
| Jun 27, 2026 | Fresh source review | Reviewed direct and primary sources for the last-two-weeks supply-chain refresh; this preview intentionally excludes older Halting Problems article data. | Direct source |
Affected Software
| Package | Ecosystem | Version Range | Status | Confidence | Source |
|---|---|---|---|---|---|
| pnpm < 10.34.2 | npm | unknown | Malicious | 90% | Direct source |
| pnpm >= 11.0.0 | npm | unknown | Malicious | 90% | Direct source |
IOC Clipboard
18 IOCsdomain
codeload.github.comurl
https://github.com/pnpm/pnpm/security/advisories/GHSA-hg3w-7f8c-63hpurl
https://github.com/pnpm/pnpm/security/advisories/GHSA-54hh-g5mx-jqcpurl
https://github.com/pnpm/pnpm/security/advisories/GHSA-q6j5-fjx5-2mc3url
https://github.com/pnpm/pnpm/security/advisories/GHSA-p4xf-rf54-rj3xurl
https://github.com/pnpm/pnpm/security/advisories/GHSA-hwx4-2j3j-g496url
https://github.com/pnpm/pnpm/security/advisories/GHSA-cjhr-43r9-cfmwfile_path
package.jsonfile_path
pnpm-lock.yamlfile_path
pnpm-workspace.yamlfile_path
.npmrcfile_path
*.patchfile_path
.github/workflowscommand
pnpm installcommand
pnpm addcommand
pnpm viewcommand
pnpm patchcommand
git fetchProvenance & Sources
| Source | Type | Reliability | Claims | Evidence |
|---|---|---|---|---|
| Direct source | direct | 95% | 1 | https://github.com/pnpm/pnpm/security/advisories/GHSA-hg3w-7f8c-63hp |
| Direct source | direct | 95% | 1 | https://github.com/pnpm/pnpm/security/advisories/GHSA-54hh-g5mx-jqcp |
| Direct source | direct | 95% | 1 | https://github.com/pnpm/pnpm/security/advisories/GHSA-q6j5-fjx5-2mc3 |
| Direct source | direct | 95% | 1 | https://github.com/pnpm/pnpm/security/advisories/GHSA-p4xf-rf54-rj3x |
| Primary research | primary research | 95% | 1 | https://github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r |
| Correlated source | correlated | 80% | 1 | https://github.com/advisories?query=pnpm |