Trust Center

Armis Advisory Regarding Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices 🔔

Dear Valued Customer,

Armis has reviewed a recent Cybersecurity & Infrastructure Agency (CISA) Emergency Directive affecting Cisco Adaptive Secure Appliances (ASA) and verified that Armis is not impacted by these vulnerabilities.

Background

On September 25, 2025, CISA issued an Emergency Directive in response to active, widespread exploitation of Cisco Adaptive Security Appliances (ASA). Advanced threat actors are leveraging vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to achieve unauthenticated remote code execution on affected ASA devices.

Impact on Armis

Armis is not impacted and does not have any of the affected appliances deployed with our operating environments.

Customer Action

No action is required from customers regarding this matter.
We continuously monitor security advisories from our vendors to ensure the integrity and security of our products. For any further questions, please contact Armis Support.

Sincerely,

The Armis Team

Armis Advisory Regarding Supermicro BMC Firmware Vulnerabilities (CVE-2025-7937, CVE-2025-6198) 🔔

Dear Valued Customer,

In line with our commitment to transparency, Armis has reviewed two recently disclosed Supermicro BMC firmware vulnerabilities (CVE-2025-7937 and CVE-2025-6198) and verified that Armis appliances are not impacted.

Background

On September 24, 2025, Supermicro announced two medium-severity vulnerabilities, CVE-2025-7937 and CVE-2025-6198, affecting the Baseboard Management Controller (BMC) firmware on a specific list of their motherboard models.

The vulnerabilities are related to an Improper Verification of Cryptographic Signature, which could potentially allow a specially crafted firmware image to bypass security checks and update the system firmware.

Impact on Armis Appliances

After a thorough review of the Supermicro security disclosure, we have confirmed that Armis does not use any of the affected motherboard models listed in the vendor's advisory. Therefore, Armis products are not susceptible to these vulnerabilities.

Customer Action

No action is required from customers regarding this matter. Armis appliances are secure and not at risk from these specific vulnerabilities.

We continuously monitor security advisories from our vendors to ensure the integrity and security of our products. For any further questions, please contact Armis Support.

Sincerely,

The Armis Team

Security Advisory: Armis Unaffected by "Shai-Hulud" npm Supply Chain Attack 🔔

Dear Customer,

Armis is actively tracking an ongoing software supply chain attack named "Shai-Hulud," involving malicious packages published to the npm registry on September 15, 2025.

Our security team has conducted a thorough investigation, and we can confirm that the Armis Centrix platform is not affected by this campaign. Our review has verified that we do not utilize any of the hundreds of malicious package versions identified in this attack.

Background on the "Shai-Hulud" Campaign

The "Shai-Hulud" campaign delivers data-stealing malware through a post-install script embedded in compromised npm packages. The attack specifically targets the software development lifecycle (SDLC) and developer workstations.

Execution: Once a developer installs a malicious package, the script activates and harvests sensitive data, including environment variables, cloud keys, and other secrets.

Data Exfiltration: This data is then exfiltrated to public GitHub repositories named "Shai-Hulud" created by the attacker.
GitHub Token Abuse: If the malware finds developer GitHub tokens, it abuses them in order to create public repositories with the stolen secrets, push malicious GitHub Actions workflows to other repositories, and migrate private organizational repositories to public ones under the attacker's control.

Propagation: The attack is a self-propagating worm. If it finds additional npm tokens in a victim's environment, it will automatically publish malicious versions of any packages it can access, spreading the compromise further.
Security researchers assess that this activity is likely a downstream result of a separate campaign that occurred in late August 2025, where initial GitHub token theft enabled this broader attack.

Our Commitment to Security

The security of our platform and the trust of our customers are our highest priorities. The Armis team's robust supply chain security practices and continuous monitoring were effective in preventing any impact from this threat.
While the Armis platform is not impacted, we strongly recommend that your development and security teams assess their own environments for exposure.

If you have any questions or concerns, please do not hesitate to contact Armis support.

Sincerely,

The Armis Team

Reference: Key Facts of the "Shai-Hulud" Campaign
Initial Compromise: Malicious versions of multiple npm packages were first published on September 15, 2025.
Attack Vector: The malware is delivered via a post-install script in the compromised packages.
Data Harvested: The script uses secret scanning tools to find and collect sensitive developer assets, environment variables, and cloud keys.
Exfiltration Method: Stolen data is exfiltrated to public GitHub repositories named "Shai-Hulud."
Propagation Mechanism: The malware is a self-propagating worm that uses stolen npm tokens to publish new malicious packages.
GitHub Abuse: Stolen GitHub tokens are used to expose secrets, spread malicious workflows, and migrate private repositories to public ones with the label "Shai-Hulud Migration."

🔔Security Advisory: Armis Unaffected by Malicious npm Packages

Dear Valued Customer,

Armis is aware of a recent software supply chain attack involving malicious versions of highly popular npm packages, which were published starting on September 8, 2025.¹

Following a thorough investigation, we have confirmed that the Armis platform and all Armis products are not affected by this incident. Our security team has verified that none of the compromised package versions were incorporated into our software.

Background on the npm Package Compromise

On September 8, 2025, malicious versions of 18 popular npm packages, including debug and chalk, were published.² On September 9, additional packages such as @duckdb/duckdb-wasm were also reported as compromised.³

The malware is designed to execute in a user's web browser when a website or application serves the compromised code.⁴ Its primary functions are to:

• Hook into browser functions to monitor for cryptocurrency transactions.⁵
• Silently rewrite transaction details, such as wallet recipients, to redirect funds to an attacker-controlled address before the user signs the transaction.⁶
• Use "look-alike" addresses to hide the malicious change from the user in the UI.⁷

The highest risk is for public-facing websites, dApps, and payment widgets that may have bundled these specific malicious versions and deployed them to users.⁸ The risk is considered lower for exclusively server-side applications where the malicious code would not be served to a browser.⁹

Our Commitment to Security

The security of our platform and the trust of our customers are our highest priorities. The Armis Security team continuously monitors our software supply chain to protect against threats like this.

While the Armis platform is not impacted, we recommend your development teams review their own applications to ensure they are not using the malicious versions of the affected packages.

If you have any questions or concerns, please do not hesitate to contact Armis support.

Sincerely,

The Armis Security Team

References
¹ Malicious releases of 18 popular npm packages were published on September 8, 2025.
² Malicious new versions of 18 popular npm packages, including debug@4.4.2 and chalk@5.6.1, were published to npm on September 8, 2025.
³ On September 9, 2025, JFrog reported that more packages were affected, including @duckdb/duckdb-wasm@1.29.2.
⁴ When bundled into frontend assets and deployed on a website, the malicious code runs in visitors' browsers.
⁵ The malware overrides global
fetch and XMLHttpRequest, and wallet interfaces like window.ethereum and Solana signing calls.
⁶ The injected code runs in the browser and can silently redirect crypto transactions (recipients/approvals) to attacker-controlled addresses.
⁷ It uses "look-alike" address substitution so the UI can look normal while the signed payload is altered.
⁸ High risk applies to any site or app that bundled these specific versions and served them to browsers, including dApps and payment/donation widgets.
⁹ There is a lower risk for pure server-side use of these packages (Node-only), as the payload is browser-oriented.

Security Notification: Salesloft Drift Incident 🔔

Dear Valued Customer,

At Armis, the security of our data and our customers’ data is our highest priority. In the spirit of full transparency, we are writing to inform you of a security incident experienced by one of our third-party vendors, Salesloft, which affected their Drift application.

What Happened

On August 20, 2025, Salesloft began notifying its customers of a security issue within its Drift application. The issue was later confirmed to be a data breach intended to compromise the integration connections between Drift and Salesforce. As a user of this application, Armis was notified and immediately began monitoring the situation.

Armis's Proactive Response and Containment

Our security and business applications teams took immediate action. In an abundance of caution, on August 20, 2025, we proactively severed the integration between our internal Salesforce environment and the Salesloft Drift application. Our decision to disable the integration was validated when Salesforce took the industry-wide step of disabling all Salesloft integrations on its platform on August 29th. This action was taken well ahead of Salesloft’s decision to take the Drift service fully offline on September 2nd. This decision was validated when Salesforce took the industry-wide step of disabling all Salesloft integrations on August 29, 2025. This action was taken well ahead of Salesloft’s decision to take the Drift service fully offline on September 2, 2025.

Impact on Armis and Customer Data

Due to these swift and proactive containment measures, we have no evidence to suggest that any Armis data or customer information was compromised or affected by this incident. Our internal monitoring and third-party risk intelligence from our Panorays platform support this conclusion, indicating that the breach event did not impact our company.

Our commitment to a robust vendor risk management program enabled us to react quickly to this external event, ensuring the continued security of our environment. We will continue to monitor the situation with Salesloft and will only consider re-establishing the integration when we are completely satisfied with their security posture.

Thank you for your continued trust in Armis.

Sincerely,

The Armis Security Team