BASE-2236: Node.JS and NPM (Node Package Manager) Vulnerability

🔍 Overview

Summary	Node.JS and NPM (Node Package Manager) Vulnerability Attackers compromised the Nx build system package and several widely used npm dependencies, inserting malicious code before publishing them to the npm registry. The trojanized packages: Scanned the file system Harvested credentials Exfiltrated data by creating a GitHub repository under the victim’s account and uploading the stolen information there
Advisory Release Date	26.9.2025
Products	eptos / eptos Search Engine
Affected Releases	eptos 6.*
Fixed Releases	N/A
CVE ID	https://nvd.nist.gov/vuln/detail/CVE-2025-10894 https://nvd.nist.gov/vuln/detail/CVE-2025-59037 https://nvd.nist.gov/vuln/detail/CVE-2025-59140 https://nvd.nist.gov/vuln/detail/CVE-2025-59143 https://nvd.nist.gov/vuln/detail/CVE-2025-59162 https://nvd.nist.gov/vuln/detail/CVE-2025-59142 https://nvd.nist.gov/vuln/detail/CVE-2025-59144 https://nvd.nist.gov/vuln/detail/CVE-2025-59330 https://nvd.nist.gov/vuln/detail/CVE-2025-59331 https://nvd.nist.gov/vuln/detail/CVE-2025-59141
Issue ID	.jira-issue { padding: 0 0 0 2px; line-height: 20px; } .jira-issue img { padding-right: 5px; } .jira-issue .aui-lozenge { line-height: 18px; vertical-align: top; } .jira-issue .icon { background-position: left center; background-repeat: no-repeat; display: inline-block; font-size: 0; max-height: 16px; text-align: left; text-indent: -9999em; vertical-align: text-bottom; } BASE-2236 - Getting issue details... STATUS
Further information	Reported false positive, therefore eptos is not affected.

Summary

Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.

Affected packages:

ansi-regex@6.2.1
ansi-styles@6.2.2
backslash@0.2.1
chalk@5.6.1
chalk-template@1.1.1
color-convert@3.1.1
color-name@2.0.1
color-string@2.1.1
debug@4.4.2
error-ex@1.3.3
has-ansi@6.0.1
is-arrayish@0.3.3
proto-tinker-wc@1.8.7
supports-hyperlinks@4.1.1
simple-swizzle@0.2.3
slice-ansi@7.1.1
strip-ansi@7.1.1
supports-color@10.2.1
supports-hyperlinks@4.1.1
wrap-ansi@9.0.1

duckdb@1.3.3
duckdb/duckdb-wasm@1.29.2
duckdb/node-api@1.3.3
duckdb/node-bindings@1.3.3
prebid@10.9.1
prebid@10.9.2

Software Fixes

11 packages within eptos were found as used, but in a different, lower version which are not impacted
15 packages are not used at all

Therefore eptos and eptos Search Engine is not affected.

What you need to do

No action required

Mitigation

N/A

Support

If you have questions or concerns regarding this advisory, check back with support (at) paradine,at and add BASE-2236 to your issue description.