All vulnerability reports

Vaadin Flow, Hilla and the September 2025 npm supply-chain attacks

Overview

Recently two major npm supply-chain attacks have been reported, raising concerns about the safety of the broader software ecosystem, including for Vaadin users.

The first incident involved compromised maintainer accounts and malicious releases of widely used packages such as debug and chalk. The second, known as Shai-Hulud, used poisoned package versions and a self-replicating post-install script to steal developer credentials (npm tokens, GitHub PATs, cloud keys) and republish tainted packages from victim accounts, infecting 180+ packages.

No Vaadin packages or bundles were affected in either attack.

Description

Attackers pushed malicious releases to popular npm packages. Payloads executed on install, stole credentials, and attempted self-propagation by publishing modified packages from compromised maintainer accounts.

Registries and vendors removed malicious versions. 

Impact to Vaadin Flow and why platform users are not vulnerable

Vaadin’s shipped JS bundles for platform releases in the last 3 months do not contain any of the compromised packages. Verification was done by scanning and by checking our release SBOMs.

The compromised packages were primarily build-time dependencies in typical web stacks and they are not present in Vaadin’s production bundles.

Why we are not vulnerable


1.  Default no-compile path uses Vaadin-shipped bundles.
   
Flow apps do not run a frontend toolchain in production. In developing or CI/CD time, apps that use only standard Vaadin components and no custom frontend code also skip the toolchain. In these cases, Flow reuses the JS and CSS bundles we ship, so builds do not pull from npm.
 
Note on Hilla: Hilla apps compile the frontend and therefore should follow the customer guidance below.

2. Pinned, reproducible bundles built by us.
 
Vaadin’s dev and prod bundles are created in our CI with pinned versions and published as artifacts, they are included in maven repositories with the coordinates  vaadin-dev-bundle and vaadin-prod-bundle

3. SBOMs per release and recent verification.
 
Platform releases include SBOM generation so dependency inventories are auditable.
 
We reviewed SBOMs for recent supported series*  and saw none of the compromised packages referenced in the public reports.
 
SBOMs are attached to the Release notes of each version in the https://github.com/vaadin/platform repository, hence, you can download and audit the SBOM from your version’s release page.

* 23.6.1–23.6.3, 24.7.9–24.7.14, 24.8.2–24.8.8, 24.9.0 and its prereleases, 25.0.0 prereleases

4. Malicious npm versions were removed upstream.
   
NPM has removed the tainted versions; rebuilds fetch clean packages.

 
Bottom line: Vaadin Applications that compiled their own frontend during the attack window should follow the customer guidance below.

 

Affected products 

No Vaadin versions are affected with this issue, though, there is a long list or npm packages and their versions in the references section.

- Flow using Vaadin-shipped bundles: Not affected.

- Flow or Hilla projects that compile custom frontend: Potential exposure only if you built while malicious versions were available.

Customer guidance

If you compile your own bundles and suspect you may have built them during the time when infected packages were available in the npm registry, or if you simply want to be cautious, scan your package-lock.json using a tool such as npm audit.

Since the malicious npm package versions have been removed from the npm central repository, you may also want to reset your bundle from clean dependencies. Running mvn vaadin:clean-frontend will remove node_modules and package-lock.json. A fresh package-lock.json will be generated automatically by Vaadin; it will exclude versions removed from the registry but is not a blanket safety guarantee.

In CI/CD builds, it is recommended to use the ciBuilds=true option. This forces the use of exact dependency versions and prevents newer, unintended maintenance releases from being pulled in automatically.

Because our release model follows the evergreen principle, we strongly recommend keeping your project aligned with the latest versions in any supported major/minor series.

Vaadin actively monitors dependency security. We use multiple tools such as Dependabot and Snyk to scan both Maven and Npm dependencies, and we update them frequently based on findings. Customers are advised to also stay on the latest Vaadin release to benefit from these updates.

References

First attack in Aikido Blog: www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Second Attack in The Hacker News: thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html

List of affected Packages: socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages

Github Plans for securing npm supply chain:  github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/

History

  • 2025-09-26: Initial vulnerability report published