Skip to main content
Skip table of contents

Shai-Hulud Attack – Mend UA FAQ

Is there a Hotfix available for the Mend Unified Agent related to this incident?

Yes. Mend has released a Unified Agent hotfix — Version 25.10.3.2 (25-Nov-2025) — which resolves an issue.

You can download the latest Unified Agent here: https://docs.mend.io/platform/latest/product-downloads#ProductDownloads-TheUnifiedAgent
Review our release notes here: https://docs.mend.io/legacy-sca/latest/mend-unified-agent-release-notes


Why am I receiving this advisory?

During the Shai-Hulud supply-chain attack, some npm/Yarn packages contained malicious lifecycle scripts. Under specific configurations, the Mend Unified Agent (UA) can trigger dependency installation steps (npm install / yarn install), which may execute these scripts.

Who Is At Risk?

Customers who have explicitly enabled the following configuration are affected:

  • npm.runPreStep=true

  • AND have not set npm.ignoreScripts=true

By default:

  • npm.runPreStep = false

  • npm.ignoreScripts = <not set - implies false>

Based on our initial investigation, it seems only customers who manually changed these configurations face any risk.

What is the Recommended Action?

Until the hotfix is deployed, we strongly recommend the following:

If you have configured npm.runPreStep=true, please immediately ensure that:
npm.ignoreScripts=true

This prevents package lifecycle scripts from executing during the dependency installation phase.

Are other Scanners Impacted? 

We have verified the repository integrations and CLI are not impacted. 

Does the Mend Unified Agent execute malicious code?

No, The UA executes the build command which might trigger the malicious code.

The UA only executes package scripts if both of the following are true:

  • npm.runPreStep=true

  • npm.ignoreScripts=false

By default:

  • runPreStep = false

  • ignoreScripts = true

Only customers who manually enabled runPreStep and allowed scripts to run are at risk.

What is Mend doing to protect customers?

A hotfix is in progress that will:

  • Change the default behavior so npm.ignoreScripts=true

  • Prevent execution of package scripts during UA scans unless explicitly and intentionally overridden

Customers will be notified to update their Unified Agent versions once this fix is available.

What should customers do right now?

If you have set npm.runPreStep=true, we strongly recommend setting:

npm.ignoreScripts=true

This prevents execution of any package scripts during UA scans.

Should all customers be concerned?

No. Only customers running the Unified Agent with non-default configuration scanning NPM or Yarn projects with the following settings enabled:

  • npm.runPreStep=true

  • npm.ignoreScripts=false

By default:

  • npm.runPreStep = false

  • npm.ignoreScripts = <not set - implies false>

How can I verify my settings? 

Check your UA command line or environment variables, the configuration is also always included in the logs. 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close