Radar Healthcare Assurance

Clarification on scope of update
The initial update referenced @tanstack packages as the primary focus, reflecting the dependencies in use within Radar Healthcare.

While this activity is consistent with a broader supply‑chain attack pattern (commonly referred to as “Shai‑Hulud”) affecting multiple npm namespaces, Radar Healthcare does not utilise the other identified packages within this wider campaign.

Our assessment was therefore scoped to the dependencies and environments in use, with @tanstack representing the relevant exposure for Radar Healthcare. All validation and assurances provided above relate to this confirmed scope.

On 11 May 2026 (19:20–21:30 UTC), malicious versions of several @tanstack npm packages were temporarily published and available for installation.

These packages were designed to identify further dependencies for infection and attempt to exfiltrate sensitive credentials (including npm, GitHub, AWS, Kubernetes, SSH and secret vault tokens).

Radar Healthcare conducted a review across all relevant repositories and development activity. This confirmed that:

• Affected dependencies were pinned to safe versions released prior to the incident
• No updates were applied during the exposure window
• Development environments were not impacted

Based on this assessment, no evidence of compromise to Radar Healthcare has been identified. Monitoring will continue as a precaution should further information emerge.

This incident reinforces the risk of open-source supply chain attacks. Radar Healthcare maintains robust controls over dependency management and monitoring and continues to enhance these as part of ongoing security improvement.

Axios is used within the Radar platform, primarily in the frontend, and may also appear as a transitive dependency in other services. Our production implementation is on version 1.9.0, and we have confirmed that we were not impacted by the recent supply chain compromise affecting specific Axios versions. No affected versions were installed or in use within our production environment during the relevant window. Indirect dependencies identified are on versions not associated with the reported incident and are managed in line with our vulnerability management process.

We continuously monitor third-party components through our secure development lifecycle, assessing and prioritising vulnerabilities based on risk, with remediation undertaken accordingly. Based on our review, we have identified no evidence that this issue has impacted the confidentiality, integrity, or availability of the Radar platform or customer data.

We are aware of the recent ransomware incident involving ChipSoft. Radar Healthcare is not affected. As part of our internal continuous improvement process, we have reviewed the incident and its relevance to our threat landscape. We regularly assess sector-wide events to inform our security posture and ensure our controls remain robust and aligned with best practices.

Radar Healthcare has completed an assessment of the recently disclosed vulnerabilities relating to Cloudflare services.

Assessment Outcome: No impact to Radar Healthcare services or customer data.

This determination is based on the following:

• The ACME HTTP-01 certificate validation path vulnerability was remediated by Cloudflare at the provider level. Cloudflare confirmed no evidence of exploitation and that no customer action was required.

• The request smuggling vulnerability in the Pingora proxy framework (CVE-2025-4366) is not applicable to Radar Healthcare. The affected components (pingora-proxy and pingora-cache) are not used within our environment, and we do not operate on the Cloudflare free tier where exposure was limited. Cloudflare confirmed no evidence of exploitation and completed remediation within 22 hours of disclosure.

• Internal validation confirmed that our service configuration and architecture do not utilise the affected components or configurations.

Radar Healthcare continues to monitor vendor advisories and threat intelligence as part of its vulnerability management process.