NPM supply chain attack - why our platform is secure

What happened

This week, attackers compromised developer accounts on npmjs.org and published manipulated versions of well-known open-source packages. These packages are downloaded billions of times each week. The injected code was designed to capture data and redirect transactions.

Why this does not affect us

Our platform is not impacted. We only use dependencies that are reviewed and built into the product through controlled processes. Nothing is ever pulled directly from npm at runtime. Every update passes through our CI/CD pipeline and is tested before it is released.

The ADITO Designer loads components dynamically, but only from explicitly defined and versioned packages. It does not resolve or install unspecified or floating versions such as latest. This prevents unintended updates and ensures that only verified, expected package versions are used.

Conclusion

This incident underlines the importance of supply-chain security. Thanks to our architecture, our strict versioning rules, and our controlled processes, we can state clearly: our customers and partners are not affected by this attack.

./Robert