Last updated date: 18th September 2025

Advisory publication date: 18th September 2025

Summary

This advisory provides details of our research and of the steps taken to ensure that the continued spread of the recent supply chain attacks on npm does not affect CloverDX software.

We confirm that none of the already released CloverDX versions are affected by these attacks (all versions prior to and including CloverDX 7.1.2) and we confirm that our development environment is not affected either.

This advisory concerns two recent attacks on npm, but the lessons learned, and the approaches described here help us ensure that other similar attacks do not impact CloverDX software.

The first attack – a crypto stealer – began on 8th of September and was quickly contained (it lasted for around 2 hours). Even then, the attackers managed to compromise at least 18 npm packages with combined more than 2.6 billion weekly downloads.

The second attack – dubbed Shai-Hulud – began just few days later (with first signs of modified packages from 15th of September). In this case, the malware automatically propagates itself by stealing various authentication tokens (including npm tokens) and was able to infect hundreds of packages within just few days. As of the last update of this advisory, the attack seems to still be spreading although at a limited pace compared to the beginning of the campaign.

Am I affected?

CloverDX products are not affected by these attacks and therefore you cannot be compromised by using CloverDX software.

What you need to do

Review the information in this article to see if it may help you diagnose similar attacks within your organization.

Investigation

After learning of the attacks, we conducted a thorough review of our infrastructure to ensure that we have not been affected by these attacks:

1. All versions of CloverDX published before the attacks began are not affected since they could not have used any of the affected packages. The latest release before the first attack was on 29th of August – a bugfix release CloverDX 7.1.2. The last npm update affecting this CloverDX version was in June – well before these attacks. This means that all currently published releases of CloverDX are not affected by these attacks.
2. CloverDX does not pull any code from npm as part of its operation when running. Therefore, none of the instances of CloverDX can become compromised “on their own”.
3. We reviewed npm logs across all our development infrastructure – all build and test servers, their caches etc. We have not found any instance where npm update was carried out after the attacks began. All updates match our Jira tracking issues for them, no unexpected updates were found. Therefore, we concluded that our development infrastructure is not compromised.
4. We reviewed npm logs and caches across all developer’s machines. We have found one instance where the developer executed npm install as part of their work and updated their locally cached dependencies (i.e., on their machine only). Even though none of the pulled packages appear on known lists of the affected packages, we reverted everything to the state before the attacks began and cleaned all caches etc. After this, we concluded that our developers’ machines have not been compromised either.

Mitigation

Even before these attacks, our development environment has been set-up to incorporate industry best practices to minimize the possibility of supply chain attacks (or other attacks in general).

• All java dependencies (jar files) are only updated as part of planned update based on a real need – e.g., based on new feature requirement, security vulnerability, compatibility requirements etc. All such updates are done manually, and the updated jar files are loaded into our Nexus from where they are pulled during build process. There is no automated pull of new versions directly from Maven or any other repository.
• All java dependencies (jar files) require code review when updated. Any unexpected changes are reviewed and discussed to ensure that we do not introduce unwanted or dangerous changes into the product. This process catches variety of issues – compatibility issues (e.g., new version not compatible with something else within the product), licensing changes, maintenance issues (e.g., library not being actively maintained etc.).
• We use package-lock.json file to ensure that JavaScript dependencies are locked at specific versions. All dependencies are periodically checked by our CI/CD system for known vulnerabilities. Updates of dependencies only happen manually by developers, and updated dependencies are reviewed and tested, no new versions of any dependencies are pulled into the process automatically.
• We use automated scanning tools like OWASP Dependency-Check and npm audit on every build to discover known vulnerabilities. Such builds happen many times per day across many development branches. Vulnerabilities discovered like this have fixes planned according to our security policy.
• We do code reviews to ensure that bad practices or common bugs do not lead to unsecure or low-quality code. This process also helps train our more junior developers since reviews are done with seniors.
• Our employees regularly receive security trainings.

We also reduce the attack surface within CloverDX by following best practices for network security, password hygiene, MFA, encryption etc. These practices are, however, out of scope of this security advisory.

Support

If you did not receive this email directly and you want to receive Security Advisory emails like this in the future, subscribe to the CloverDX Security Alerts mailing list.

If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.

References

• Sonatype Security Research Team: “Ongoing npm Software Supply Chain Attack Exposes New Risks”; 17th September 2025; available at https://www.sonatype.com/blog/ongoing-npm-software-supply-chain-attack-exposes-new-risks
• Brian Krebs: “Self-Replicating Worm Hits 180+ Software Packages”; 16th September 2025; Available at https://krebsonsecurity.com/2025/09/self-replicating-worm-hits-180-software-packages/
• Henrik Plate: “npm Malware Outbreak: Tinycolor and CrowdStrike Packages Compromised”; 16th September 2025; Available at https://www.endorlabs.com/learn/npm-malware-outbreak-tinycolor-and-crowdstrike-packages-compromised
• Abhinav Mishra: “When Dependencies Turn Dangerous: Responding to the NPM Supply Chain Attack”; 11th September 2025; Available at https://blog.qualys.com/vulnerabilities-threat-research/2025/09/10/when-dependencies-turn-dangerous-responding-to-the-npm-supply-chain-attack
• Asaf Henig, Cameron Hyde: “Breakdown: Widespread npm Supply Chain Attack Puts Billions of Weekly Downloads at Risk”; 10th September 2025; Available at https://www.paloaltonetworks.com/blog/cloud-security/npm-supply-chain-attack/
• CloverDX Security policy
• CloverDX Support policy

Update history

• 2025-09-18 – This advisory was first published.