Dear colleagues!
---
TL/DR: Please use `npm clean-install` to install npm-dependencies and be careful when updating packages.
---
A little longer: Please be aware of the current supply-chain-attack on the npm-ecosystem:
* https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-at…
* https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm…
* https://www.paloaltonetworks.com/blog/cloud-security/npm-supply-chain-attac…
* https://www.heise.de/news/Neuer-NPM-Grossangriff-Selbst-vermehrende-Malware…
As far as we understand the situation, the attack is ongoing and additional packages might be affected in the course of future events.
On the bright side, we are safe if everyone uses `npm clean-install`, as this will always pull the exact versions that we have pinned in `package-lock.json`. These are (to the best of our knowledge...) not affected. Also, existing versions of npm-Packages won't be replaced with other code (again, to the best of our knowledge). If this is not true and you can indeed identify malicious packages in our npm-dependencies, please don't hesitate to report them to security(a)ilias.de.
On the other hand, every operation that might update pinned packages (be it `npm install` or `npm update`) might pull versions of libraries that are indeed affected. Please make sure to understand the risk involved here and consider to postpone any update of npm-dependencies until the attack and its consequences are mitigated. If you indeed need to update npm-dependencies now, please make sure to check the implied changes in the package-lock.json thoroughly against an up-to-date list of affected packages.
It currently looks as if we are safe and can weather this situation just fine, which is a direct consequence of our tightened procedures around our dependencies, especially the centralized handling and the Dependency Jour Fixe. Good job everyone!
If there are any questions or ideas, feel warmly welcome to reach out to us via tb(a)ilias.de or Discord.
Kind regards!
Richard Klees
for the Technical Board of the ILIAS Society
--
and also:
Geschäftsführung
Fon: +49 (0)221 / 46 75 76 - 56
Fax: +49 (0)221 / 46 75 76 - 09
---------------------------------------------
CaT Concepts and Training GmbH
Subbelrather Str. 15 B
50823 Köln
Fon: +49 (0) 221 / 46 75 76 - 00
Fax: +49 (0) 221 / 46 75 76 - 09
Web:
https://www.concepts-and-training.dehttps://www.cate-lms.de
---------------------------------------------
Geschäftsführung:
Claudia Glander, Gerald Konrad, Richard Klees
Amtsgericht Köln HRB 57804
Ust-ID-Nr.: DE 814694228
Sitz: Köln
---------------------------------------------
Sollten Sie weitere Informationen zu der Verarbeitung Ihrer Daten (Art. 12 ff., DSGVO) wünschen, informieren Sie sich unter:
https://concepts-and-training.de/datenschutz-kunden.html
Dear all,
We are postponing the release of ILIAS 9.14 today to next Tuesday 23 September due to pending fixes.We also intend to publish ILIAS 8.23 and 10.2 on next Tuesday.
Best regards
Fabian Wolf
Dear all,
We would like to publish ILIAS 9.14 on Tuesday, September 16, 2025.
If you need more time to fix issues that should become part of this release, please let me know.
Best regards
Fabian Wolf
