npm Under Siege: The “Shai-Hulud” Worm Attack

The supply chain attacks on npm continue and this week, Crowdstrike’s npm packages fell victim to the “Shai-Hulud” worm. 

To mitigate the potential of downloading these malicious packages, consider pinning specific package versions in JS projects and using 2FA to publish new package versions to npm.

Also this week, WebAssembly Specification (Wasm) released v3.0. This version dramatically expands the memory Wasm apps can use, supports multiple memory usage, and now allows garbage collection.

It’s been a while since we last covered LLM options for folks who want to run their own models locally or in the browser, so Jack gives a quick rundown of some of the best options out today. 

There’s WebLLM from MLC, MediaPipe from Google, and ONNX from Microsoft, and although none are easily interchangeable with another, if cost, privacy, or working offline are concerns of your LLM-enabled app, these may be good options to explore.

Chapter Markers:

• 00:58 - npm supply chain attack
• 16:28 - Wasm 3.0
• 23:34 - LLM options in the browser
• 34:41 - Jack’s experience at CascadiaJS and a discussion on the value of in-person conferences in 2025
• 41:54 - GitHub’s new MCP registry
• 43:26 - Microsoft Paint is getting project files
• 46:54 - What’s making us happy

Links:

• Paige - “Shai-Hulud” supply chain attack on npm continues against Crowdstrike npm packages and pnpm 10.16 minimumReleaseAge setting
• Jack - LLM options in the browser: WebLLM, MediaPipe, ONNX
• TJ - Wasm 3.0
• GitHub’s new MCP registry
• Microsoft Paint is getting its own Photoshop-like project files
• Paige - Great British Bake Off season 16 is back!
• Jack - Yoyos
• TJ - phishyurl.com

Thanks as always to our sponsor, the Blue Collar Coder channel on YouTube. You can join us in our Discord channel, explore our website and reach us via email, or talk to us on X, Bluesky, or YouTube.

• Front-end Fire website
• Blue Collar Coder on YouTube
• Blue Collar Coder on Discord
• Reach out via email
• Tweet at us on X @front_end_fire
• Follow us on Bluesky @front-end-fire.com
• Subscribe to our YouTube channel @Front-EndFirePodcast