[Informational] Proactive Security Assessment: npm Ecosystem Status: All Systems Operational / No Impact

Update timeline

1. resolved Nov 28, 2025, 08:22 PM UTC

   We are writing to share the results of a proactive security assessment regarding recent industry news concerning the npm (Node.js Package Manager) ecosystem. **Executive Summary** LoanPro is Secure Following reports of a supply-chain attack targeting specific developer tools, our Security and Engineering teams launched an immediate review of our systems. We have confirmed that LoanPro is not impacted. We are sharing the details of this assessment below to maintain full transparency with our partners. **Incident Context** A malicious campaign recently targeted the npm ecosystem, attempting to use compromised installation scripts (specifically targeting the "Bun" runtime environment) to execute unauthorized code. The Threat: Attackers attempted to slip malicious files into standard package installations. The Target: The attack specifically utilized files named setup_bun.js and bun_environment.js. **Our Internal Review** Although LoanPro does not utilize the specific tooling targeted in this attack, our teams performed a comprehensive safety check across all environments (Development, Test, and Production). This included: Repository Scanning: Automated searching of all code repositories for the known malicious files. Dependency Audits: Reviewing our software "ingredients" list (package.json and lockfiles) to ensure no unauthorized packages were introduced. Runtime Verification: Confirming that the vulnerable runtime (Bun) is not present in our build or deployment pipelines. **Assessment Results** No evidence of compromise was found. No repositories, environments, or assets within LoanPro contain the malicious scripts or targeted dependencies. **Ongoing Prevention** Security is a continuous process. In response to this industry event, we are further hardening our defenses by: - Enforcing stricter controls on our software supply chain (using package-lock.json enforcement). - Increasing monitoring for external download attempts during build processes. - Continuing our schedule of periodic third-party audits. We remain vigilant in monitoring the broader threat landscape to ensure your data remains secure. If you have any questions regarding this assessment, please contact our support team.