Recently, SecurityScorecard sent a customer communication that incorrectly described the npm supply chain incident as a “CrowdStrike breach.” This was inaccurate, and we want to correct the record.
We regret the confusion caused and remain committed to providing timely, fact-based intelligence that helps organizations understand and respond to cybersecurity risks.
For questions, please contact Ryan Sherstobitoff, Field Chief Threat Intelligence Officer, rsherstobitoff@securityscorecard.io
What actually happened
- A large npm supply chain attack (“Shai-Hulud”) trojanized over 150 JavaScript packages.
- The malware attempted to steal developer secrets (tokens, cloud keys) and propagate by publishing malicious updates.
- Some npm packages published by CrowdStrike were briefly affected as the worm spread through the ecosystem.
- This was not a targeted breach of CrowdStrike’s internal networks.
What we misstated
- The subject line of our communication used the term “CrowdStrike breach.”
- This was incorrect and does not reflect the facts of the incident.
Our correction
- The event should be described as a supply chain incident within the npm ecosystem.
- CrowdStrike’s packages were among those impacted, but CrowdStrike itself was not breached.
Our commitment
Accuracy in reporting is essential. We have put new review controls in place so that all future incident-related communications are approved by our Threat Intelligence leadership and Corporate Communications before release.We regret the confusion caused and remain committed to providing timely, fact-based intelligence that helps organizations understand and respond to cybersecurity risks.
For questions, please contact Ryan Sherstobitoff, Field Chief Threat Intelligence Officer, rsherstobitoff@securityscorecard.io
