UPDATE DECEMBER 5, 2025:
This incident is resolved and our investigation confirmed there was no unauthorized access to any personal information, customer data or systems hosting customer data. As previously noted the root cause was a compromised NPM package maintained by our supplier Postman. NowSecure is taking appropriate steps to ensure our CI/CD pipelines are secure and prevent any recurrence of this type of incident.
Incident Q/A:
What is the Incident Status?
The incident was contained on Wed Nov 26. The incident is resolved.
Were any services, credentials, application tokens or keys related to [Customer] impacted?
No credentials, tokens or keys related to a customer account were impacted or required revocation.
What was the initial point of compromise? Was there any lateral movement or expansion of the scope of compromise?
Due to a supply chain attack against the Postman software, certain Postman-maintained NPM packages were compromised. One tainted package executed in one NowSecure internal CI/CD pipeline. There was no lateral movement or expansion of scope.
How did NowSecure determine that no customer data or systems were accessed?
We thoroughly investigated the data exposed and all data in the impacted pipeline, and searched across all projects for the malicious NPM packages, confirming that one tainted package ran in one project. We identified and promptly revoked credentials/tokens exposed to the malicious NPM package, and confirmed that none were customer account-related. We searched all relevant access logs for unauthorized activity and found nothing related to the exposed data. The tainted package was open source and so the actual code executed is known.
Is any Customer action required in responding to / remediating this incident?
No customer action is required.
ORIGINAL NOTICE NOVEMBER 28, 2025:
NowSecure is responding to a security incident related to a supply chain attack against the Postman software, which was recently disclosed by Postman in a blog post as the "Shai-Hulud 2.0 npm supply-chain attack." This incident involved the compromise of certain Postman-maintained NPM packages.
On November 26, 2025 we became aware that certain NowSecure CI/CD data was compromised by tainted NPM packages, and we initiated incident response procedures.
Data Impacted:
- Certain secret values (tokens/credentials) and non-secret variables in the CI/CD pipeline
- No evidence of customer data impact
Actions Taken by NowSecure:
- All potentially exposed tokens or credentials have been rotated across our systems
- Removed tainted NPM packages and pinned to known safe versions
- Reviewing logs to uncover unauthorized access (if any)
- Actively investigating any further potential impact on our environment
Current Status:
We are continuing to investigate, and our services remain fully operational and available.
At this time our investigation finds that no personal information, customer data, or systems hosting customer data have been accessed by unauthorized parties. This notice is for customer information purposes, no action is required.
We will continue to monitor the situation and provide updates as they become available.
Comments
Article is closed for comments.