Drupal PSA Security

Date: 2025-November-03Description: 

The upcoming Drupal core security release window has been rescheduled from November 19, 2025 to November 12, 2025. As normal, the window will occur between 1600 UTC and 2200 UTC.

Schedule change for back-to-back DrupalCons

This schedule change is due to DrupalCons Vienna and Nara overlapping the October and November core security windows. We do not schedule core security windows during DrupalCons so that site owners and agencies can attend these conferences without having to worry about their sites or clients.

December is also not typically used for core security releases due to the quick sequencing of the Drupal core minor releases and the end-of-year holidays. This would mean a period of four months where we could not provide any regularly scheduled security update.

No special release procedures

The schedule change is not due to any highly critical issue that would require special release procedures.

As a reminder, a Drupal core security window does not necessarily mean a Drupal security release will occur, only that one is possible.

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Date: 2025-September-17Description: Supply-chain attack via maintainer account takeover

NPM packages have been targeted in maintainer account takeover attacks. Attackers have deployed an automatic credential scanning tool. The scanning tool tries to find secret keys that may have been published to public systems like build automation and continuous integration (CI) systems and sends such credentials back to the attacker. From there, the vulnerable NPM packages are downloaded, modified to insert a trojan-like script bundle, and then republished. These maliciously modified packages can then be used to exploit any application that has installed these packages.

Coverage and advice on remediation:

• The Hacker News - 40 NPM Packages Compromised
• Socket.dev - Supply Chain Attack
• Aikido - S1ngularity/nx attackers strike again
• Aikido - npm debug and chalk packages compromised
• Wiz.io - Shai-Hulud npm supply chain attack

While this attack has targeted NPM packages, the same strategy could be used to exploit other packages as well.

Managing supply-chain security

Website owners should actively manage their dependencies, potentially leveraging a Software Bill of Materials (SBOM) or scanner services. Other relevant tools include CSP and SRI.

It is the policy of the Drupal Security Team that site owners are responsible for monitoring and maintaining the security of third-party libraries and any non-Drupal components of the stack. In rare cases, the Drupal Security Team will post an informational public service announcement (PSA) such as this one, but the remit of the Drupal Security Team remains limited to code hosted on Drupal.org’s systems. Previous PSAs on third-party code in the Drupal ecosystem include:

• External libraries and plugins - PSA-2011-002
• Various Third-Party Vulnerabilities - PSA-2019-09-04
• Third-Party Libraries and Supply Chains - PSA-2024-06-26

Impact to the Drupal project itself

Drupal's infrastructure maintainers, the Drupal Security Team, and Drupal core maintainers have received tips about this situation from several sources. Individuals in those groups have evaluated their exposure and we believe the Drupal project itself is not affected by this issue. If you have information about concerns that Drupal is affected please reach out to us.

This post is likely to be be updated as the situation evolves and more information is available.

Reported By: 

• nicxvan

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Tim Hestenes Lehnen (hestenet)
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team
• cilefen of the Drupal Security Team