About npm hack

[Raito00]

Hello,

I would like to ask whether MeshCentral or its dependencies could be affected by the recent npm supply chain compromise (Sept 2025), where popular packages such as chalk, debug, ansi-styles, color-name, color-convert, strip-ansi, chalk-template, and backslash were tampered with.

Since MeshCentral is built on Node.js, is there any risk that a compromised version of these packages might have been pulled in during installation or update?

If yes, what versions are safe to use?

Do you recommend administrators reinstall MeshCentral with a clean set of dependencies to be sure?

Thank you for clarifying!

[si458]

Well, do you have links to the packages that were hacked?
Or even a Web article? Wasn't aware of any npm hacked attacks recently?

[gitplk]

Here are more details about the hack: https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the?r=133gq&utm_campaign=post&utm_medium=reddit&triedRedirect=true

These packages are compromised:

• ansi-regex
• ansi-styles
• backslash
• chalk
• chalk-template
• color-convert
• color-name
• color-string
• debug
• error-ex
• has-ansi
• is-arrayish
• simple-swizzle
• slice-ansi
• strip-ansi
• supports-color
• supports-hyperlinks
• wrap-ansi

Regards

[si458]

no we are safe as a quick look, we dont use ANY of those dependencies directly.
the package-lock.json shows it does use ansi-regex and a few other for example
BUT they are LOCKED to older versions, so UNLESS you installed meshcentral a fresh within the like last 24 hours,
then you are safe from what i can see 🔒
but ill ask our security bloke to do a scan just to be 110% sure for us 👍