Last updated: September 22, 2025
Summary
We are aware of reports of a supply‑chain malware campaign ("Shai‑Hulud") affecting the npm ecosystem via compromised developer accounts and malicious package versions. Based on our review, Dispatch (including Sentinel) is not impacted. We do not consume any of the known compromised packages, and our build and deployment pipelines show no signs of compromise.
What happened (brief)
Public reporting indicates a self‑propagating malware campaign that published malicious npm package versions intended to exfiltrate secrets (for example, tokens, environment variables) and spread by abusing developer credentials.
References:
Impact to Dispatch
No affected packages in our dependency inventories.
No evidence of suspicious publication activity from our accounts.
No anomalous activity detected in CI/CD, artifact registries, or production environments related to this incident.
Dispatch will continue to monitor repositories and pipelines for anomalous behaviors.
Guidance for customers and partners
Continue standard best practices: pin and audit dependencies, enforce MFA on source control and package registries, monitor CI/CD for anomalous access, and rotate high‑risk tokens if exposure is suspected.
If you operate internal npm mirrors or caches, refresh advisories and purge known bad versions.
Contact
For security inquiries related to this advisory, contact sentinel@dispatchintegration.com
We will update this page if new information emerges that changes our assessment.