Impact of SHA1-Hulud: The Second Coming on the Mintlify CLI

On November 24, 2025, the Mintlify CLI was exposed to a supply chain attack, SHA1-Hulud: The Second Coming, which involved compromised npm dependencies and impacted over 25,000 repositories. The vulnerability arose from flexible version specifications in dependency packages used by the CLI, leading to the automatic installation of malicious versions. Within six hours, Mintlify detected, addressed the issue by releasing a secure version (4.2.210), deprecated affected versions, and verified that hosted services were unaffected due to locked dependency versions. Users who installed the CLI during the attack are advised to update immediately, clear caches, check for suspicious activity, and rotate potentially exposed credentials. As a preventive measure, Mintlify has strengthened its dependency pinning and alerting protocols to better handle future supply chain security incidents.