What happened

Between 11:00 AM and 12:00 PM (UTC), our monitoring systems detected abnormal and automated behaviour linked to a malicious dependency used in developer environments.

According to our internal audit logs:

• Several repositories in developer environments created suspicious branches consistent with the sha1-hulud attack pattern.
• Approximately 141 repositories in developer machines were created and pushed to github.com as public repos along with 5 using a service account with passwords from 2 of our developers and our service account.
• The malicious package was traced to a recently-updated version of kill-port, which aligns with public reports of the attack campaign.
• New NPM packages with the affected package was published.
  

How we detected it

Our internal alerting systems (AWS Guarduty) flagged unusual, automated repository activity consistent with code injection patterns.

The incident was detected within minutes, and our engineering & security teams immediately initiated incident response procedures.

Based on audit logs reviewed across AWS, GitHub, NPM, CircleCI, and Doppler, we confirmed the following that no customer information was leaked and no access to our environment was done.

Immediate actions taken

Within minutes of detection, we executed a full containment and remediation procedure, including:

1. Credential revocation & rotation

We immediately revoked and recreated all access tokens associated with affected development accounts:

• GitHub: service accounts and impacted developer tokens
• AWS: all associated IAM access keys
• NPM: all tokens belonging to affected users
• Doppler: dev service accounts tokens were revoked
  

2. Automated removal of malicious branches

All suspicious branches were automatically deleted across affected repositories.

3. CI/CD cleanup

• All CI caching layers were cleared.
• CI/CD secrets were re-generated.
• Pipelines were fully re-validated.

4. Package hardening

All affected services were updated to pin the dependency version and ensure malicious versions cannot be reintroduced.

5. Device remediation

Developer machines identified as affected were fully wiped and restored from clean baselines.

5. Re-publish packages

All packages were re-published without the affected package.

Impact assessment

After reviewing all audit logs, traffic logs, package registries, and access patterns, we can confirm:

• No customer data was accessed or exposed.
• No customer environments, projects, or assistants were accessed.
• No infrastructure access occurred.
• The attack was contained to local development environments and open-source repository metadata, consistent with the public behavior of the sha1-hulud worm.
• Versions of our packages were published for a short time containing the malicious packages, these were removed quickly.. Please check Annex to see the affected packages and versions
  

Ongoing and future mitigations

Voiceflow is implementing additional controls to prevent recurrence:

• Mandatory dependency pinning for all internal services.
• Expanded supply-chain scanning in CI across NPM ecosystems.
• Automatic blocklisting of known malicious NPM versions.
• Hardening of developer machine baselines and continuous package integrity checking.
• Strengthened behavior-based intrusion detection in GitHub and CI systems.
  

Customer Impact

There is no impact to Voiceflow customers, agents, data, or environments.

All systems remain fully operational, and no customer action is required. If customers would like to update their dependencies, use the latest version of our NPM packages published on November 25th, 2025.

We are sharing this advisory transparently to keep you informed and to demonstrate our commitment to rigorous supply-chain security.