Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade pnpm to version 10.34.2, 11.5.3 or higher.
pnpm is a Fast, disk space efficient package manager
Affected versions of this package are vulnerable to Insufficiently Protected Credentials in repository-controlled configuration, where ${ENV_VAR} placeholders in a project .npmrc or pnpm-workspace.yaml are expanded into registry request destinations and credentials by the config reader (loadNpmrcFiles.ts). An attacker can exfiltrate environment secrets such as npm or CI job tokens by publishing a repository whose .npmrc places a placeholder like ${CI_JOB_TOKEN} in a registry URL or an _authToken value, which is expanded and sent to the attacker-selected registry during dependency resolution. Exploitation requires the victim to run pnpm or pacquet in the malicious repository with the referenced secret present in the environment, and the disclosure occurs before lifecycle scripts run, so --ignore-scripts does not prevent it.