The Shai-Hulud worm turns npm into a live supply-chain weapon, twice in three months
A self-propagating package worm stole developer credentials in September and returned in November with a more destructive payload, forcing a category of defences npm did not previously need.
Supply-chain attacks on npm are not new. A self-propagating worm that authenticates to the registry as a compromised developer and publishes trojanised versions of that developer's packages without their knowledge is. Shai-Hulud surfaced in September 2025, spread through the ecosystem at a rate CISA described in its alert as widespread, and then came back in November as Shai-Hulud 2.0 with a fallback payload Unit 42 reports can attempt to wipe the compromised user's home directory.
For most of the past decade, the npm threat model was some combination of typosquatting, dependency confusion, and abandoned-maintainer takeovers. Those are still live, and still the majority of incidents. Shai-Hulud is categorically different. It targets the token material of active maintainers, harvests GitHub PATs and cloud keys, and then — this is the crucial part — republishes packages those maintainers own with worm code embedded. Each infection produces more infections. The malware's own name, borrowed from Dune, is the closest the attackers have come to publishing a design document.
The specific blast radius, by the time Unit 42 published its November follow-up, extended across tens of thousands of GitHub repositories and roughly 350 unique maintainer identities, with the worm persisting on the registry for long enough that mainstream dependencies including parts of the chalk and debug lineage were hijacked in parallel campaigns through September. GitLab and Red Hat published parallel advisories; GitHub tightened token-issuance defaults; Microsoft attributed a separately attributed Axios compromise in March 2026 to the DPRK-affiliated actor tracked as Sapphire Sleet, suggesting at least one state-aligned operator has been watching the technique.
The winners, in the bleak sense, are the registry-level defence vendors whose pitch is now survivable rather than aspirational — Snyk, Socket, StepSecurity, and the small set of policy-driven dependency allowlisting tools. The losers are the maintainers of individual open-source packages who carry the token material, the operational burden, and none of the revenue, and whose options now include mandatory hardware-key enrollment on pain of effective excommunication from the registry.
What the worm forecloses is the assumption that npm's trust model — implicit, maintainer-centric, and largely unverified at the registry boundary — can scale safely into a decade of AI-assisted code generation that pulls from it. It cannot. What it opens is the long-overdue rebuild of package provenance: signing, attestation, publisher identity, and consumption-side policy controls. The work is underway. It should have been underway a decade ago.