The Stellar Development Foundation announced that all SDF projects are unaffected by a major NPM supply chain attack discovered on September 8, 2025. SDF conducted audits and found no malicious packages in their projects, while providing guidance to the broader Stellar ecosystem on how to protect against the attack.
On September 8, 2025, a significant supply chain attack compromised dozens of popular NPM packages through phishing attacks on developers. The malicious packages targeted Bitcoin, Bitcoin Cash, Litecoin, Solana, and Ethereum ecosystems but did not target Stellar. The Stellar Development Foundation immediately audited all projects under its GitHub organization and confirmed no malicious packages were present. As a precautionary measure, SDF pinned relevant NPM packages to safe versions. SDF provided recommendations for the broader Stellar ecosystem, including auditing NPM dependencies, pinning affected packages, reviewing build pipelines, and checking developer workstations for compromised versions.
