Resolved
Recently, a second malicious version of several npm packages were published under the campaign known as “Sha1-Hulud.” These packages were designed to steal credentials and spread further across the software supply chain. We want to emphasize that there is no impact on existing releases. All current releases of the Betty Blocks platform (public cloud, private cloud, and on-premise) have not been affected by the malicious npm packages.
At Betty Blocks, we want to update you on how we are handling this situation.
What Betty Blocks is doing
- Version-pinned packages:
Almost all npm packages used in our platform are version-pinned. This means updates are never automatic and only happen when explicitly approved by our engineers.
- Verification before release:
In the coming weeks, every platform component that depends on npm packages will be checked to ensure no infected versions are included before we release to testing, acceptance, or production environments. All packages not pinned to a specific version will be verified before used in the next release.
- On-premise and private cloud deployments:
Clients running Betty Blocks in on-premise or private cloud setups will only receive updates that we have confirmed to be free of the affected package versions.
In addition to the above measures, we have analyzed 284 internal and public code repositories and determined none of these repositories were affected by both current sha1-hulud and the previous shai-hulud incidents.
What clients should know
If you are developing your own custom components within the Betty Blocks platform, please be aware:
- You are responsible for the npm packages you include in your custom work.
- We strongly recommend reviewing your package versions and checking them against the published list of affected libraries.
- Betty Blocks does not actively monitor custom development performed by clients.
If you have any questions about this topic, or would like guidance on how to check your own packages, please contact your Betty Blocks support representative.
Posted Nov 27, 2025 - 15:53 CET
This incident affected: Betty Blocks zone NL1 (API), Betty Blocks global services (My Betty Blocks portal, Block Store), Betty Blocks zone NL3 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks private cloud zone 1 (API), Betty Blocks private cloud zone 3 (API, IDE, Pages, ActionsAPI), Betty Blocks private cloud zone 4 (API, IDE, Pages, ActionsAPI), Betty Blocks private cloud zone 6 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks private cloud zone 7 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks private cloud zone 8 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks zone US2 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks zone NL4 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks private cloud zone 9 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks private cloud zone 10 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks private cloud zone 11 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks zone NL6 (API, Pages, DataAPI, ActionsAPI, IDE), Betty Blocks private cloud zone 12 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks private cloud zone 13 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks private cloud zone 14 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks private cloud zone 16 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks private cloud zone 17 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks zone CA4 (API, IDE, Pages, ActionsAPI), Betty Blocks private cloud zone 18 (API, IDE, Pages, DataAPI, ActionsAPI), Betty Blocks private cloud zone 19 (API, IDE, Pages, DataAPI, ActionsAPI), and Betty Blocks private cloud zone 15 (API, IDE, Pages, DataAPI, ActionsAPI).