Skip Nav
Search Results
    Request a Demo
    Industries
    Industries
    Solutions
    Solutions
    Services
    Services
    Resources
    Resources
    About Us
    About Us
    Contact Us
    Contact Us
    Request a Demo

    Certinia Security Advisories

    Date Topic Name Description
    November 26, 2025 Advisory Shai-Hulud 2.0 Supply chain attack
    September 3, 2025 Advisory Nx/s1ngularity Supply chain attack
    September 3, 2025 Advisory Drift/Salesloft Chatbot compromise
    July 1, 2024 Advisory Polyfill Polyfill vulnerability
    April 1, 2022 Advisory Spring4Shell Spring4Shell vulnerability (CVE-2022-22965).
    December 11, 2021 Advisory Apache Log4j2 Apache Log4j2 vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105).
    January 5, 2018 Advisory Meltdown & Spectre Vulnerabilities Vulnerabilities affecting a wide range of computer processors.

     

    Date: November 26, 2025

    Security Advisory: Shai-Hulud 2.0

    Between November 21-23, 2025, approximately 700 npm packages were temporarily trojanized to allow the attacker to execute arbitrary commands on infected systems. At Certinia, we leverage an artifact registry that mirrors popular open source dependency registries such as npm. This centralized approach allows us to analyze the use of open source across our entire ecosystem holistically.

    Our team actively monitors threat intelligence feeds and performs regular impact assessments for high-severity events. In the case of Shai-Hulud 2.0, the turnaround time was under an hour from receipt of the advisory. We did not encounter any instances of infected components in our ecosystem.

    In summary, this supply chain attack did not affect Certinia or our customers.

    Date: September 3, 2025

    Security Advisory: Nx/s1ngularity

    We were made aware of the Nx “s1ngularity” compromise, which was a sophisticated supply chain attack that occurred in late August 2025, targeting the popular build system, Nx. Attackers compromised a maintainer’s npm token and used it to publish malicious versions of several Nx packages to the npm registry.

    At Certinia, we performed an exhaustive review to determine if there was any presence of the malicious package versions, and we can confirm that these have not been downloaded onto any Certinia applications, devices, or servers.

    In summary, this supply chain attack did not affect Certinia or our customers.

    Date: September 3, 2025

    Security Advisory: Drift/Salesloft

    During review of our threat intelligence feeds, we were made aware of the Drift/Salesloft compromise, which took place in August 2025. This was a significant supply chain attack that leveraged stolen OAuth tokens to breach hundreds of organizations. The attackers, a group tracked by Google’s Threat Intelligence Group (GTIG) as UNC6395 (also known as GRUB1), exploited the Salesloft Drift chatbot service’s integrations with other platforms.

    The data exposed consisted of full support case details, which could potentially lead to arbitrary additional risks such as credential or PII exposure.

    We can confirm that at Certinia, we do not leverage the Drift chat agent and are not materially impacted by this attack.

    Date: July 1, 2024

    Security Advisory: Polyfill

    We were made aware of a supply chain attack through our threat intelligence feeds, where the official CDNs used to host the polyfill.js Javascript library were used to host malware. After analyzing, we confirmed that none of our products use polyfill.
    It’s important to note that Certinia’s Salesforce applications do not pull third-party libraries from remote, untrusted CDNs, and instead follow Salesforce best practices and host copies of these libraries within the packages themselves. Finally, the third-party dependencies we include in our packages are scanned with our SCA solution for vulnerabilities prior to building the packages we release to our customers.

    In summary, this vulnerability was not found to affect any Certinia customers.

    Date: April 1, 2022

    Security Advisory: Sping4Shell

    We are aware of the remote-code-execution aka ‘Spring4Shell’ vulnerability which has been discovered in VMware’s widely used Spring IO (being tracked as CVE-2022-22965), and started an investigation on March 31st, 2022 as to the applicability and potential impact of this vulnerability to Certinia. Towards this, we have been running targeted code scans and monitoring third party advisories. Thus far we have identified 5 internal projects which use the affected Spring versions, however, the original proof-of-concept which primarily depends on Tomcat is not being used within our infrastructure thereby potentially making any exploitation moot. Lastly, we are currently reviewing any patch upgrades required to mitigate this vulnerability.

    In summary, we have not discovered any compromise as a result of this vulnerability.

    Date: January 6, 2022 | 4pm UTC

    Security Advisory: Apache Log4j2

    At Certinia, trust is our number one value. We want to alert you to an important security issue and let you know how we are addressing it.

    We are aware of the Apache Log4j2 vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105), and started an investigation on December 11, 2021 as to the applicability of these vulnerabilities to Certinia. We have concluded that we do not run the Log4j2 component, including and have not found any internal instances supporting our service which are affected by the Apache Log4j2 vulnerability (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105). Towards this, we conducted a thorough investigation and scanned all HTTP resources and found one partially vulnerable resource which we have patched accordingly. We will continue to monitor the impact of this vulnerability and as required will take necessary steps for remediation. Salesforce, our sub-processor, is currently remediating on their end; status can be read here and here.

    Thank you for putting your trust in Certinia.

    Date: January 5, 2018

    Security Advisory: Meltdown & Spectre Vulnerabilities

    At Certinia, trust is our number one value. We want to alert you to an important security issue and let you know how we are addressing it.

    Earlier this week it was reported that most central processing units (CPUs) may contain two critical security vulnerabilities, dubbed “Meltdown” and “Spectre.” Like most companies, Certinia uses systems that are impacted by these vulnerabilities.

    Nothing is more important to us than the security of our customers’ data. As part of our Security and Trust Program, we continuously monitor our systems for threats and vulnerabilities, including attempts to exploit Meltdown and Spectre. So far, Certinia has not seen any indications of attempts to exploit these vulnerabilities against our systems. We are also actively monitoring for updates by chip makers and operating system providers, and applying security patches to our systems as they become available. In addition, we are communicating with key vendors – including Salesforce, which hosts our products – on their progress in patching their systems and monitoring for potential attacks.

    Thank you for putting your trust in Certinia.