## pnpm v10+ Security Flaw: CVE-2025-69264 Allows Bypass of Lifecycle Script Protections
A critical security vulnerability in the pnpm package manager, tracked as CVE-2025-69264 (GHSA-379q-355j-w6rj), exposes projects to potential malicious code execution. The flaw allows attackers to bypass a key security feature—the default disabling of dependency lifecycle scripts—in pnpm versions 10 and above. This creates a direct path for supply chain attacks, where a compromised or malicious package could execute arbitrary scripts during installation, compromising the host system or exfiltrating sensitive data.

The vulnerability is present in pnpm versions starting from 10.0.0. The security advisory indicates that the default protection, designed to prevent automatic script execution from dependencies, can be circumvented. The issue was addressed in version 10.28.2, which is the version specified in the automated dependency update pull request. The update represents a significant jump from version 10.6.2, highlighting the severity and the number of potentially vulnerable intermediate releases.

This flaw places thousands of JavaScript and Node.js projects at immediate risk, as pnpm is a core tool in modern development workflows. Organizations and developers relying on automated dependency management tools like Renovate must prioritize this update to mitigate the threat. Failure to patch leaves build pipelines and development environments open to exploitation, where a single malicious package could trigger a cascading security incident. The silent nature of such an attack, masked as a routine dependency update, underscores the persistent threat within software supply chains.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, supply-chain, vulnerability, npm, CVE-2025-69264
- **Credibility**: unverified
- **Published**: 2026-04-16 00:23:00
- **ID**: 66483
- **URL**: https://whisperx.ai/en/intel/66483