UPDATE: 15-May-2026 Resolved.
GitHub organization is unlocked, CI/CD pipelines & GitHub Actions secrets have been rotated, and repositories are back online. Thank you for your patience.
===============================
Security Advisory: Compromised npm Development Packages
The OpenSearch Project has identified and remediated a supply chain attack involving the npm registry. A malicious actor gained unauthorized access to publish artifacts containing malware.
-
Impacted Versions: open source JavaScript client for OpenSearch versions 3.5.3, 3.6.2, 3.7.0, and 3.8.0.
-
Scope: These are unreleased development versions. Previously released stable packages were not compromised. Downstream product or service releases are not affected.
-
Timeline: The compromise occurred at approximately 8:30 p.m. EDT on May 11. Malicious packages were removed from npm by 11:00 p.m. EDT the same evening.
Action Required: If you downloaded or installed @opensearch-project/opensearch during this ~2.5-hour window:
-
Treat the host environment as compromised.
-
Immediately rotate all credentials and secrets accessible from that system.
-
Remove the package and reinstall from a verified source.
Current Project Status:
-
GitHub organization is locked.
-
CI/CD pipelines and GitHub Actions are paused for full secret rotation.
-
Repositories are expected to remain offline until May 13.
Refer to the GitHub advisory for technical details and remediation steps.