We became aware on 2/4/25 that one of our upstream vendors, ToDesktop, had a vulnerability reported to them by an independent researcher. ToDesktop patched the vulnerability immediately and verified that no one had exploited it. This means no users were affected, and you do not need to take any action to be protected.

In response, we immediately migrated away from this vendor to our own self-hosted release system. Our list of upstream vendors and subprocessors is, as always, publicly accessible on our security page.

Please reach out to security@anysphere.inc with any questions.