Poisoned Packages: Auditing the NPM Supply Chain

Sep 18, 2025 · 3 min read · The Attack That Targeted the Supply Chain The npm ecosystem faced what security researchers call a watershed moment in September 2025 when a self-replicating worm, dubbed "Shai-Hulud," compromised over 500 packages. Named after the massive sandworms ...