mintlify

Mintlify CLI supply chain attack
Resolved

All affected package versions have been deprecated, and new safe versions are now available.

We are actively hardening our dependency management and publishing pipeline to prevent future incidents.

A detailed postmortem will follow with additional information and preventative measures.

If you installed or updated the Mintlify CLI between November 21st to 24th, 2025, please take the following actions immediately:

  • Clear your npm/pnpm cache

  • Update to the latest safe version: npm install -g mint@latest

  • Review your GitHub tokens and credentials

  • Check for unauthorized GitHub repositories

Mon, Nov 24, 2025, 10:26 PM
(3 days ago)
·
Affected components

No components marked as affected

Updates

Resolved

All affected package versions have been deprecated, and new safe versions are now available.

We are actively hardening our dependency management and publishing pipeline to prevent future incidents.

A detailed postmortem will follow with additional information and preventative measures.

If you installed or updated the Mintlify CLI between November 21st to 24th, 2025, please take the following actions immediately:

  • Clear your npm/pnpm cache

  • Update to the latest safe version: npm install -g mint@latest

  • Review your GitHub tokens and credentials

  • Check for unauthorized GitHub repositories

Mon, Nov 24, 2025, 10:26 PM

Monitoring

All affected package versions have been deprecated on npm. We are working with npm to remove compromised versions entirely. All affected release versions have been removed from Mintlify's own release chain

New safe versions with pinned dependencies have been published.

Mon, Nov 24, 2025, 09:41 PM(45 minutes earlier)

Identified

We've confirmed that compromised dependencies of the Mintlify CLI were @asyncapi/parser (3.4.1, 3.4.2) and @asyncapi/specs (6.8.2, 6.8.3, 6.9.1, 6.10.1).

We are publishing new versions with pinned dependencies and deprecating all affected versions.

Mon, Nov 24, 2025, 06:32 PM(3 hours earlier)

Investigating

We've identified that Mintlify CLI packages contain compromised dependency packages from a supply chain attack. We are working to publish patched versions with pinned dependencies, and to remove the compromised versions from our supply chain

https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html

Mon, Nov 24, 2025, 06:32 PM
Powered by