Is Matomo affected by Shai-Hulud 2.0 Supply Chain Attack?

svenatarms · November 27, 2025, 1:30pm

Hi,

I guess you already heard about the ongoing Shai-Hulud 2.0 Supply Chain Attack on npm packages. See: https_://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack (I’m not allowed to post a link, so I inserted underscore)

I’m curious if Matomo might be affected by using any of the compromised npm packages?

I tried to gather some information about the useage of npm Packges in Matomo by looking into
Github Code Search for JavaScript in the matomo-org repo.

But I’m not a JavaScript developer and I’m kinda unsure if it’s the right path to figure out on what npm dependencies Matomo relies on. Maybe some developer could help me out?

thx & Best,

Sven

SteveG · November 27, 2025, 2:34pm

No. Matomo should not be affected by this. Our npm packages are pinned to fixed versions and are not updated automatically. Furthermore most of the packages are used for our vue js build pipeline only and are therefor not included in final releases.

In addition we have automated security tools in place that should warn as soon as an affected npm package would be used.

svenatarms · November 27, 2025, 3:21pm

Many thanks for your quick response, Stefan.