NPM Packages Compromised in Supply Chain Attack¶
WSO2 impacted: No
Evidence of compromise: No
Customers actions required: No
Reported Incident¶
On September 28, 2025, a security incident was reported where over 40 NPM packages were compromised in a large-scale supply chain attack. These malicious packages were modified to exfiltrate sensitive information, including authentication tokens and configuration details, from developer environments.
Impact on WSO2 Products and Deployments¶
Following the incident, the WSO2 Security and Compliance team immediately collaborated with engineering teams to review the dependency list across all WSO2 products and services.
The investigation confirmed that none of the compromised NPM packages are used in WSO2 products, services, or related build environments.
Based on this analysis, WSO2 and its customers are not impacted by this supply chain attack.