Impact of SHA1-Hulud: The Second Coming on the Mintlify CLI

Date: November 24, 2025

Duration: 6 hours (8:31 AM - 2:26 PM PST)

Status: Resolved

---

What Happened

On November 24, 2025, Mintlify's CLI was briefly exposed to a supply chain attack known as SHA1-Hulud: The Second Coming, which affected over 25,000 repositories across the npm ecosystem. Two dependency packages used by the Mintlify CLI—@asyncapi/parser and @asyncapi/specs—were compromised and published malicious versions to npm.

---

Impact

Who was affected:

• Users who performed fresh installations or updates of the Mint CLI during a brief window on November 24th may have installed compromised dependency versions

Who was NOT affected:

• Users who had previously installed the CLI and did not update or reinstall in the vulnerable window.
• Users who installed the CLI after we published the fixed version
• All hosted Mintlify services

Potential risk:

• The malicious packages contained preinstall scripts which attempted to access and exfiltrate credentials stored on the same machine, or delete files.

---

Mintlify’s Response

See here for our status report(s).

Immediate Response (8:31 AM - 9:28 AM):

• Identified the compromised dependency versions
• Published new CLI version (4.2.210) with pinned, safe dependency versions
• Verified Mintlify hosted services were unaffected

Remediation (9:28 AM - 2:26 PM):

• Deprecated all potentially affected CLI versions
• Updated the CLI version map to automatically prompt users to upgrade to a safe version
• Verified all other dependencies were safe

---

What You Should Do

If you installed or updated the Mint CLI on November 24, 2025:

1. Clear npm and pnpm caches

   1. npm cache clean --force and pnpm cache delete and rm -rf node_modules

2. Update immediately to version 4.2.210 or later:

   npm install -g @mintlify/cli@latest

3. Check for suspicious activity:

   1. Review your GitHub repositories for unexpected changes or new repositories
   2. Check for unauthorized access to cloud services

4. Look for evidence of compromise on affected devices

   1. setup_bun.js , bun_environment.js, cloud.json, content.json, environment.json, truffleSecrets.json

5. Rotate any credentials that may have been accessible on any affected devices

If you did NOT install the CLI on November 24:

• No action required, but we recommend updating to the latest version when convenient

---

Root Cause

The vulnerability occurred because the Mintlify CLI used flexible version specifications (e.g., ^3.4.0) for the @asyncapi packages. When malicious versions 3.4.1 and 3.4.2 were published to npm during the attack, fresh CLI installations automatically pulled these compromised versions.

Mintlify hosted services were protected because they use lockfiles that pin exact versions, preventing automatic updates to compromised packages.

---

Prevention Measures

We've implemented the following changes to prevent similar incidents:

1. Stricter dependency pinning across all packages
2. More aggressive alerting for our existing supply chain CI/CD vulnerability scanning
3. Faster response protocols for supply chain security incidents
4. Clearer communication procedures in the case of similar incidents

---

Timeline Summary

• 8:31 AM - Vulnerability detected and incident declared
• 8:54 AM - Backend confirmed safe
• 9:28 AM - Safe CLI version published (4.2.210)
• 9:36 AM - Version map updated to force upgrades
• 2:26 PM - All vulnerable versions deprecated, incident resolved

---

Questions?

If you have concerns about whether you were affected or need assistance, please contact our support team at support@mintlify.com. We take security seriously and are committed to keeping your development environment safe.

We apologize for any inconvenience and appreciate your understanding as we worked quickly to address this industry-wide security incident.