Plone Security Advisory 20250909
What happened?
It has come to our attention that there has a security incident affecting multiple npm packages under ownership of npm user ~qix. An attacker was able to gain control over the packages for a short period of time and injected code aimed at stealing login credentials and reroute crypto currency transaction into different wallets. For more information on the details see this blogpost on aikido.dev. The affected packages are:
- backslash
- chalk-template
- supports-hyperlinks
- has-ansi
- simple-swizzle
- color-string
- error-ex
- color-name
- is-arrayish
- slice-ansi
- color-convert
- wrap-ansi
- ansi-regex
- supports-color
- strip-ansi
- chalk
- debug
- ansi-style
How does it affect Plone?
For the Plone ecosystem the incident should have only very limited affect as in the volto core of the affected packages only the debug package is actually used for actual builds. This is pinned to an unaffected version. All other compromised packages are not used in the Volto core.
ClassicUI also uses some of the packages, but they are unaffected versions. So in released packages related to ClassicUI (patternslib, mockup, plone.staticresources) there is no problem, same as for Volto.
What actions do I have to take?
In most cases none. But we still advise you to clean caches and node_modules, and install again in dev machines, or rebuild deployments.
If you maintain one or more frontend addons we advise you to check if you use any of the affected dependencies, especially without a version pin. If you do, pin the package to a version and realease an update of your addon.