We want to inform you of a recent security incident involving multiple compromised NPM packages that may impact development environments using the Servoy NGClient.
According to a report from The Hacker News, over 40 NPM packages have been affected in a supply chain attack. One of the known compromised packages is ng2-file-upload.
What You Should Know
A malicious version 8.0.3 of ng2-file-upload was briefly published to the NPM registry.
The compromised version has already been removed by NPM, and only legitimate versions (8.0.0 and 9.0.0) remain available.
If your developer environment executed an NGClient build during the period this malicious version was available, your system may have cached the compromised package.
Immediate Actions Required
1. Check Your NPM Cache
Run the following command to check if the malicious version is present in your cache:
Plain Text
npm cache ls ng2-file-upload
If version 8.0.3 appears in the list, your system has cached the compromised version.
2. Clean Your NPM Cache
To remove any potentially malicious packages, run:
Plain Text
npm cache clean --force
3. Rebuild Your Project
After cleaning the cache, perform a TiNG full clean build in your Servoy Developer environment to ensure no compromised code remains.
4. Review Access Tokens (if affected)
If you discover that the 8.0.3 version was present, we strongly recommend invalidating any GitHub tokens or other credentials that may have been exposed, and regenerating new ones as a precaution.
Stay Informed & Secure
We are actively monitoring the situation and will keep you updated with any new developments. If you have concerns or require assistance, please reach out to our support team.
Thank you for your attention to this important matter and for your continued trust in Servoy.
These are the instructions I gave the development team. Please let me know if any of it is incorrect.
Install Node JS (if you don’t have it already). If you’re unsure if you have it, open a command prompt and type “npm”. If it doesn’t recognize the command, you don’t have Node installed.
Open a command prompt and change to your workspace folder. If you don’t know your workspace folder location, launch Servoy and do File->Switch Workspace->Other. The textbox should then show your workspace location. Copy paste it into a Command Prompt with "cd " in front of it. (no quotes) (ex. cd C:\Users\paul\OneDrive\Documents\servoy_workspace_202403).
After your command prompt is in your workspace directory, enter: cd .metadata\.plugins\com.servoy.eclipse.ngclient.ui\target
After that, run: npm cache ls ng2-file-upload
If you don’t see version “8.0.3” in the packages list, you’re fine and can ignore the rest of the instructions.
If you see version 8.0.3 in your list, run: npm cache clean --force
Force a new build of your Servoy code in Servoy Developer (Project->Clean…->Clean).
If you use a PAT (personal access token) to authenticate to GitHub, you might want to delete your existing one and create a new one.
You shouldn’t need to install nodejs. Just run it from your workspace.
> cd {ServoyWorkspace}\.metadata\.plugins\com.servoy.eclipse.ngclient.ui\node-v22.14.0-win-x64
> node.exe .\node_modules\npm\bin\npm-cli.js cache ls ng2-file-upload
The node version may be different depending on your Servoy version.
There is the development environment using the Servoy NGClient mentioned, which may be affected. I am wondering what about deployed versions of applications? How are they affected?
Having more than one workspace, is every workspace affected?
Are any Servoy Developer versions affected or only some specific versions?
Deployed applications should not be affected. The nature of the attack vector has to do with NPM and build-time vulnerabilities where it has elevated access that it would not have in a regular deployed environment.
I’m not sure if we can say a particular version is affected, because packages are extensions and can move independent of the core. Safe to say if you are running legacy versions, you will not be affected. It really happens during Titanium building in the developer, which only happens in a Ti project. If you run smart, web or NG1 clients, then you are probably safe….but hey why not spend 2 minutes to run the NPM cache check just to be sure?
I think the question is rather, does every workspace have a seperate cache, since it does have a separate installation of node.
Looking at my workspaces from different servoy installations it seems it’s always ~/.npm/, but it can be checked with npm config get cache, from the specific npm directory in that workspace.
So I’d just delete the ~/.npm directory and be done with it.
If you ant to look at all installations to be safe, you can find them via find ~/Documents/ -name "npm" -type f | grep /npm/bin/npm
(My workspaces are under Documents, you perhaps need to change that)
Thanks for the clarification. I ran the NPM cache check and do not have the malicious version 8.0.3 of the ng2-file-upload. Nevertheless deleted the ~/.npm directory.