How to ensure you are not vulnerable to the debug / chalk supply chain attack that took place yesterday

[boutell]

As many of you may have read, a supply chain attack against a number of popular npm packages succeeded yesterday:

https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html

For a 2-hour period yesterday morning (US Eastern), anyone installing the latest version of these packages unknowingly installed code that would attempt to steal funds from cryptocurrency wallets under certain circumstances.

However, this vulnerability applied only:

• If the code was present in the browser, not just on the server, and
• If the application had some relevance to cryptocurrency and so might make relevant network calls or invoke relevant APIs installed by cryptocurrency browser extensions.

Neither of these circumstances normally applies to ApostropheCMS.

However, in an abundance of caution, we advise you to update your project's dependencies today, test your site or application and redeploy to all public environments:

npm update

In our own tests, a fresh install of apostrophecms with a large number of our optional packages shows no sign of the issue after following these steps.

If you would prefer to avoid this, or just make doubly sure afterwards, you can check your existing build on your production server:

# To see if the malicious packages are present *at all* (not necessarily in the browser,
# where they could potentially be used maliciously)
cd node_modules
grep -R 'checkethereumw'
# To see if they are present in the actual frontend build for the browser 
cd public/apos-frontend
grep -R 'checkethereumw'