Highzkochan

**Name of the Vulnerable Software and Affected Versions** pnpm versions prior to 7.33.4 pnpm versions prior to 8.6.8 **Description** The issue arises from how pnpm parses tar archives, allowing a tarball to be constructed that appears safe when installed via npm or parsed by the registry but is malicious when installed via pnpm. This can result in a package that seems safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. The TAR format's append-only nature and the specification for updating files can lead to multiple copies of a file, such as `package.json`, in an archive, with the expected behavior being that all versions other than the last are ignored during extraction. However, pnpm extracts only the first file of a given name and discards subsequent files with the same name. **Recommendations** For pnpm versions prior to 7.33.4, update to version 7.33.4 or later. For pnpm versions prior to 8.6.8, update to version 8.6.8 or later. As a temporary workaround, consider avoiding the use of pnpm for installing packages until a patched version is applied.