You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In response to the reported NPM supply chain compromise involving the qix account, we deleted all cached dependencies created after 13:00 UTC on 8 September 2025 as a preventive security measure. These dependencies may have contained versions of npm packages potentially compromised during the breach window.
Cache files older than 13:00 UTC remain intact, preserving valid and pre-existing dependencies unaffected by the incident.
Details: Malicious versions have been published for dozens of high-impact npm packages maintained by qix, including strip-ansi, color-convert, color-name, error-ex, and is-core-module. See more details here: GitHub Issue #1005.
How to protect yourself:
If you use npm, immediately audit your dependencies.
Pin all affected packages to their last known safe versions using the overrides field in package.json.
Use npm ci in your build pipelines to ensure reproducible installs.
Security BulletinCritical updates and information about vulnerabilities, patches, and security releases.
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Codemagic CI/CD
Uh oh!
There was an error while loading. Please reload this page.
-
In response to the reported NPM supply chain compromise involving the qix account, we deleted all cached dependencies created after 13:00 UTC on 8 September 2025 as a preventive security measure. These dependencies may have contained versions of npm packages potentially compromised during the breach window.
Cache files older than 13:00 UTC remain intact, preserving valid and pre-existing dependencies unaffected by the incident.
Details: Malicious versions have been published for dozens of high-impact npm packages maintained by qix, including
strip-ansi,color-convert,color-name,error-ex, andis-core-module. See more details here: GitHub Issue #1005.How to protect yourself:
npm ciin your build pipelines to ensure reproducible installs.Beta Was this translation helpful? Give feedback.
All reactions