Roadie unaffected by npm supply chain attack

A significant threat has emerged across the npm ecosystem. Attackers are using malicious packages that infiltrate repositories, spread to other packages maintained by affected developers, harvest tokens for GitHub, npm, AWS, GCP and Azure, and include a destructive payload that triggers if the attacker infrastructure is disrupted.

As soon as these reports surfaced we initiated a full dependency review covering all our services, builds and publish pipelines:

• We scanned for any use of known malicious or compromised packages.
• We compared our versions of all npm dependencies against published indicators of compromise.
• We verified none of our services include packages with the propagation or “dead-man’s switch” behaviour described in the reports.
• We maintain continuous monitoring of our package supply chain for new threats.

We can confirm: we are not affected by this incident.

We do not use any of the compromised versions described in public reports; any overlapping package names in our dependency tree are on safe, non-compromised versions.

We will continue to monitor developments, update our scanning and tooling, and share any relevant security guidance. If your team is reviewing internal risks or supply-chain posture and would like supporting detail from us, please reach out.