Trust Center
Infraserv Höchst
Bell Food Group AG
HAUNI
Forsvaret
BIRKENSTOCK
Fonterra
United Utilities
Statkraft
Vattenfall
RUST-OLEUM Europe
NZ Defence Force
Secil
Dussmann Group
Elkjøp
Safran Vectronix
Hitachi Rail Europe
Johnson & Johnson- How do you ensure business continuity and disaster recovery?
- How can customers report a security vulnerability?
- How do you handle data breaches or security incidents?
- How is data encrypted in transit and at rest?
- Does Neptune Software has an designated Information Security Team?
Neptune Software not affected by the NPM supply chain attack
Neptune Software not affected by the NPM supply chain attack
What happened?
On September 8, 2025, attackers compromised the NPM account of a well-known developer through a phishing campaign. They published malicious versions of 18 popular Node.js packages (including chalk, debug, ansi-styles and others) with a hidden crypto-clipper payload. The malware silently replaced cryptocurrency wallet addresses in web3/browser contexts, redirecting funds to attacker-controlled wallets.
Why Neptune DXP Open Edition is safe?
While Neptune DXP Open Edition is based on Node.js, the corresponding Node.js project—including its dependencies—and bundles everything into a standalone executable at build time. This means:
The executable contains the exact dependency versions specified when the build was created.
Once built, the app no longer fetches code from NPM at runtime.
Therefore, any malicious package versions never entered our binaries.
What you should do?
Beyond the packaged Neptune DXP Open Edition binary the platform supports the usage of custom installed NPM modules for script logic development.
The compromised packages were online only for a few hours at most, drastically reducing the likelihood that you catched any of these. Nevertheless make sure to check your list of custom NPM modules (cockpit app NPM Modules) against the list of compromised packages and their versions.