Front-End Fire

npm Under Siege: The “Shai-Hulud” Worm Attack

Sep 22, 2025
This week highlights a significant supply chain attack on npm by the Shai-Hulud worm, affecting various packages. To counter this, the hosts suggest practical defenses like two-factor authentication and version pinning. They delve into the exciting features of WebAssembly 3.0, which introduces larger memory capacities and garbage collection. The discussion also covers various options for running LLMs in browsers, reflections on in-person conferences like CascadiaJS, and even some light-hearted moments with a phishing link generator and the latest on Microsoft Paint. What's not to love?
Ask episode
AI Snips
Chapters
Books
Transcript
Episode notes
INSIGHT

Worm-Based npm Supply-Chain Attack

  • The “Shai-Hulud” npm worm harvests tokens and cloud creds, then creates GitHub workflows to propagate and exfiltrate data.
  • It auto-executes via post-install scripts, enabling rapid self-replication across packages and repos.
ADVICE

Lock Dependencies And Enable 2FA

  • Lock dependency versions and use package-locks or npm shrinkwrap to prevent unexpected upgrades.
  • Enable two-factor auth for npm publishing and audit GitHub Actions for suspicious workflows.
ADVICE

Use Post-Install Controls And Release Age

  • Disable post-install scripts by default (pnpm offers this) to stop automatic execution of malicious code.
  • Set a minimum release age for packages to avoid consuming freshly published malicious releases.
Get the Snipd Podcast app to discover more snips from this episode
Get the app