Skip to content
Security & Trust

pnpm Leaks Developer Secrets Before Scripts Execute

A config-phase flaw expands environment secrets into registry requests — before any lifecycle script runs

· 5 min read
Share on X LinkedIn
pnpm Leaks Developer Secrets Before Scripts Execute

A Vulnerability That Precedes the First Command

GitHub Security Advisory GHSA-3qhv-2rgh-x77r documents a capability in pnpm — the JavaScript package manager widely adopted in Next.js and React monorepo environments — that allows a repository's configuration file to expand environment variables into outbound registry requests. The expansion occurs during pnpm's config-resolution phase, before lifecycle scripts (preinstall, postinstall) are eligible to execute. A crafted .npmrc file embedded in a repository can route package metadata requests through an attacker-controlled registry URL, embedding secrets — NPM_TOKEN, GITHUB_TOKEN, cloud-provider credentials — that were never intended to leave the developer's build environment.

Disclosed — config-phase secret expansion into registry requests, no script execution required
pnpm Advisory GHSA-3qhv-2rgh-x77r
Source: GitHub Security Advisories (June 2026)

The Defense That Does Not Apply

The established mitigation for malicious package behavior is script auditing: review preinstall and postinstall hooks, or invoke pnpm install with --ignore-scripts to suppress lifecycle execution entirely. That guidance does not address config-phase resolution. The secret expansion happens before the package manager reaches the lifecycle script execution stage — making it structurally prior to the point where standard controls are applied. Developers and CI pipelines following current best practice — auditing scripts, using sandboxed runners, reviewing dependency trees — have limited protection against this class of attack. The attack surface is the repository configuration file itself, not the executable code it accompanies.

Over 5 million
pnpm weekly downloads, npm Registry
Source: npm Registry download statistics (npmjs.com, Q1 2026)

CI/CD Pipelines Are Disproportionately Exposed

Automated build systems inject secrets as environment variables by design: NPM_TOKEN for package publishing, cloud access keys for deployment, signing credentials for artifact integrity. pnpm is adopted across monorepo build pipelines specifically for its performance characteristics in large Next.js and TypeScript codebases. A malicious config introduced through a compromised contributor pull request, a poisoned lockfile update, or a backdoored transitive dependency can trigger secret exfiltration before a single test executes — and before any security scanner has evaluated the run. The attack requires no novel capability; it exploits documented config-resolution behavior that predates the advisory's disclosure.

1,629 (as of June 25, 2026)
CISA Known Exploited Vulnerabilities Catalog — total entries
Source: CISA KEV Catalog (cisa.gov, June 2026)

AI-Assisted Development Widens the Exposure Window

AI coding tools — Cursor, Claude Code, GitHub Copilot — have shifted developer workflows toward high-velocity repository exploration: clone, scaffold, and iterate, often across dozens of repositories in a single session. Each clone and package manager invocation is a config-resolution event. The conventional security boundary — human review before script execution — compresses further when AI tooling automates the scaffold-and-run workflow. Malicious repository configs are designed to be invisible in standard diff review; the expansion happens in infrastructure the developer rarely inspects. This is the mechanism that makes config-phase attacks well-suited to the current AI-assisted development environment: the attack surface scales with developer velocity.

The WebPulse Scan Lens

Among the 466,000+ sites in the WebPulse scan dataset, Next.js is among the top-detected JavaScript frameworks. The pnpm advisory does not affect the Next.js runtime, deployed application behavior, or end-user security — this is a build environment vulnerability, not a runtime one. The exposure is upstream: in the developer machines and CI/CD pipelines that assemble and publish those applications. Organizations should verify that no repository in their active build graph introduces untrusted pnpm configuration files, upgrade to pnpm versions that address GHSA-3qhv-2rgh-x77r, and audit .npmrc configurations across all repositories in active pipelines. Scoped, short-lived tokens with minimum required permissions reduce the value of any credential extracted through this path, regardless of how the extraction occurs.

Share this insight