[kwlug-disc] NPM supply chain worm
Khalid Baheyeldin
kb at 2bits.com
Wed Sep 17 17:28:51 EDT 2025
I have always thought that NPM's governance makes
NPM packages a very insecure platform to build stuff on.
For years, whenever I have encountered a nifty piece
of software that I need, but it requires NPM, I would
definitely pass.
Now there is another example of a supply chain attack where
a self replicating worm (dubbed Shai Hulud, Dune fans will
know the relation).
https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html
https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
--
Khalid M. Baheyeldin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20250917/c0c26b6e/attachment.htm>
More information about the kwlug-disc
mailing list