Question

To be sure: is Shai-Hulud npm Supply Chain Attack a threat for mendix webapps or native apps?

0

Hi forum, We received an email from our security officer that we have to check if we might be affected by the Shai-Hulud npm Supply Chain Attack (e.g. see https://www.securityweek.com/shai-hulud-supply-chain-attack-worm-used-to-steal-secrets-180-npm-packages-hit/). We have to let him know that we have checked for this threat, but I don't know what to answer. We don't use npm ourselves, but is it save to say to him that Mendix nowhere uses affected npm packages? Kind regards, Giel

asked 2025-09-19

Giel Smits

2 answers

0

Thanks for your answer, very kind. We have no custom widgets or styling. This means we have to trust that mendix+react developers check for the threat?

answered 2025-09-19

Giel Smits

Marcian-Petrut Bondoc-Popescu · Accepted Answer · 2025-09-19

That is an excellent and very important question. Your security officer is right to be vigilant about supply chain attacks, as they are a significant threat.

Here is a detailed breakdown of what you need to know and how you should respond.

Short Answer:

No, it is NOT safe to simply tell him that Mendix is unaffected. You must perform due diligence. While you don't use npm directly, the Mendix platform relies on it heavily under the hood for its front-end, widgets, and styling. Your applications could be exposed through these dependencies.

The statement "We don't use npm ourselves" is true from a low-code developer's perspective, but not from a technical one. Here’s where npm is used in the Mendix ecosystem:

Mendix Front-End Client: The front-end of all modern Mendix applications is built using React. The entire build and bundling process for this client relies on tools from the npm ecosystem. Mendix manages these core dependencies, but they exist.
Marketplace Widgets: This is the most likely vector. Almost every front-end widget you download from the Mendix Marketplace has its own package.json file and a tree of npm dependencies. If a widget author included one of the compromised packages, your application would be at risk during the build process.
Custom Widgets or Styling: If your team has ever built a custom pluggable widget or created a custom theme based on the Mendix Atlas UI framework, they have directly used npm and node.js on their development machines to build and test those components. These development environments are the primary target of an attack like Shai-Hulud, which aims to steal secrets from the build environment.

The Shai-Hulud attack specifically targets the development and build environment to steal configuration files and secrets (.npmrc, SSH keys, etc.). The risk is not necessarily that your final application running in production is compromised, but that sensitive credentials from your developers' machines or your CI/CD pipeline could be stolen during the app's build phase.