Betty Blocks experienced a notice incident on November 27, 2025 affecting My Betty Blocks portal and API and 1 more component, lasting —. The incident has been resolved; the full update timeline is below.
Affected components
Update timeline
- resolved Nov 27, 2025, 02:53 PM UTC
Recently, a second malicious version of several npm packages were published under the campaign known as “Sha1-Hulud.” These packages were designed to steal credentials and spread further across the software supply chain. We want to emphasize that there is no impact on existing releases. All current releases of the Betty Blocks platform (public cloud, private cloud, and on-premise) have not been affected by the malicious npm packages. At Betty Blocks, we want to update you on how we are handling this situation. What Betty Blocks is doing - Version-pinned packages: Almost all npm packages used in our platform are version-pinned. This means updates are never automatic and only happen when explicitly approved by our engineers. - Verification before release: In the coming weeks, every platform component that depends on npm packages will be checked to ensure no infected versions are included before we release to testing, acceptance, or production environments. All packages not pinned to a specific version will be verified before used in the next release. - On-premise and private cloud deployments: Clients running Betty Blocks in on-premise or private cloud setups will only receive updates that we have confirmed to be free of the affected package versions. In addition to the above measures, we have analyzed 284 internal and public code repositories and determined none of these repositories were affected by both current sha1-hulud and the previous shai-hulud incidents. What clients should know If you are developing your own custom components within the Betty Blocks platform, please be aware: - You are responsible for the npm packages you include in your custom work. - We strongly recommend reviewing your package versions and checking them against the published list of affected libraries. - Betty Blocks does not actively monitor custom development performed by clients. If you have any questions about this topic, or would like guidance on how to check your own packages, please contact your Betty Blocks support representative.