[RESOLVED] A major supply chain attack has occurred.

[mikhail-tokarev]

In response to the reported NPM supply chain compromise involving the qix account, we deleted all cached dependencies created after 13:00 UTC on 8 September 2025 as a preventive security measure. These dependencies may have contained versions of npm packages potentially compromised during the breach window.

Cache files older than 13:00 UTC remain intact, preserving valid and pre-existing dependencies unaffected by the incident.

Details: Malicious versions have been published for dozens of high-impact npm packages maintained by qix, including strip-ansi, color-convert, color-name, error-ex, and is-core-module. See more details here: GitHub Issue #1005.

How to protect yourself:

• If you use npm, immediately audit your dependencies.
• Pin all affected packages to their last known safe versions using the overrides field in package.json.
• Use npm ci in your build pipelines to ensure reproducible installs.