Executive Summary
The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape.
Since that watershed moment, Unit 42 has tracked an aggressive ...
The Shai-Hulud incident represents a paradigm shift in supply chain attacks, where threat actors have moved beyond opportunistic exploits to systematic, infrastructure-level compromises. The attack's sophistication—self-replicating malware, multi-stage payloads, and dual exfiltration—demonstrates a deep understanding of modern software development pipelines. The use of legitimate distribution channels (npm, Docker Hub, GitHub Actions) to spread malware underscores the vulnerability of trust-base...