The npm Ecosystem Is Under Siege

Since August 2025, npm has suffered a relentless wave of supply chain attacks. The most notable is the Shai-Hulud worm, a self-replicating malware that has compromised over 1,500 packages across multiple variants. As of May 2026, there are at least six distinct Shai-Hulud versions, with no sign of stopping.

Timeline of Attacks

August 26, 2025 — s1ngularity / Nx Attack

Attackers exploited a GitHub Actions injection vulnerability in the Nx repository, stole npm publishing tokens, and pushed eight malicious versions of nx packages. The malware scanned filesystems for .env files, SSH keys, crypto wallets, and npm tokens. Critically, it weaponized local AI CLIs:

const cliChecks = {
  claude: { cmd: 'claude', args: ['--dangerously-skip-permissions', '-p', PROMPT] },
  gemini: { cmd: 'gemini', args: ['--yolo', '-p', PROMPT] },
  q:      { cmd: 'q',      args: ['chat', '--trust-all-tools', '--no-interactive', PROMPT] }
};

These flags exist for developers to take responsibility. The malware used them because we normalized their use. It exfiltrated secrets to a public GitHub repo (s1ngularity-repository) containing a double-base64-encoded file. It also appended shutdown commands to .bashrc and .zshrc. Final tally: 2,349 secrets stolen from 1,079 systems, 85% macOS, ~50% with AI CLIs.

September 8, 2025 — Qix Phished

Josh Junon (npm handle qix), maintainer of chalk, debug, and 15 other packages totaling 2.6 billion weekly downloads, fell for a phishing email from support@npmjs.help (a domain registered three days prior). He entered his password and TOTP code. Attackers pushed malicious versions of 18 packages containing a crypto-wallet drainer targeting Ethereum and Solana. Live for two hours.

September 15, 2025 — Shai-Hulud Mark I

The first self-replicating npm worm. Started with @ctrl/tinycolor and spread to over 500 packages, including some owned by CrowdStrike. Mechanism: postinstall script downloads TruffleHog (a legitimate secret scanner), finds GitHub/npm/AWS/GCP tokens, uses your npm token to enumerate your packages, republishes them with malware, dumps all secrets into a public repo named Shai-Hulud on your account, and flips private org repos public with a -migration suffix. No command-and-control server needed.

November 24, 2025 — Shai-Hulud 2.0: The Second Coming

Misspelled repo name "Sha1-Hulud". Compromised 796 packages (~20 million weekly downloads), including packages from Zapier, PostHog, Postman, and AsyncAPI. Key changes: preinstall script (runs before tests/security checks), installs Bun to evade Node.js monitoring, cross-victim exfiltration (dumps secrets to another victim's GitHub if yours fails), and destructive fallback that wipes your home directory.

February 20, 2026 — SANDWORM_MODE

Socket's research found a Shai-Hulud variant that injects prompt-injection payloads into AI coding assistants. It poisons .claude/ and .cursor/ config so your AI assistant leaks future secrets while appearing normal.

May 11, 2026 — Mini Shai-Hulud

Microsoft Security Research caught 170+ npm packages, 2 PyPI packages, 404 malicious versions — the first coordinated campaign spanning both ecosystems. Same playbook: Bun runtime, preinstall, GitHub exfil.

The "AI Did It" Arguments Debunked

Argument 1: AI-generated malware

Palo Alto's Unit 42 said they were "moderately confident" the Shai-Hulud bash script was AI-generated because it had comments and emojis. This is a vibes-based threat model. Malware authors have written malware for 40 years. AI didn't invent worms — the 1988 Morris worm was self-replicating and written in C.

Argument 2: AI CLIs are the problem

The s1ngularity malware spawned claude --dangerously-skip-permissions and gemini --yolo on victim machines. But it worked because the victim already had those CLIs installed and authenticated. The malware didn't bypass Claude's permission system — it used the flag you agreed to. Wiz's analysis: Claude rejected ~25% of malicious prompts, Gemini was foiled ~25% by workspace restrictions. The least cooperative link was the AI tools. The most cooperative link was npm running random shell scripts on install with zero sandboxing.

Argument 3: Slopsquatting

Slopsquatting is when an LLM hallucinates a package name, an attacker registers it, and the next user gets malware. A USENIX 2025 paper found ~20% of AI-recommended packages don't exist; 58% of hallucinated names repeat. Real cases: huggingface-cli on PyPI got 30,000+ downloads, react-codeshift on npm ended up in 237 GitHub repos. But the chain requires: AI hallucination → attacker registration → npm's zero-verification registration → developer running npm install without reading → postinstall script running arbitrary code → no sandboxing. Remove steps 3–6, slopsquatting is harmless. This is a registry design and developer practice problem, not an AI problem.

The Real Culprit: npm's Design

npm runs arbitrary shell scripts on npm install via postinstall hooks. There is no sandboxing, no permission model, no isolation. This has been exploited for years. The Shai-Hulud worm is just the latest automation of an old attack.

What You Should Do Now

  1. Audit your dependencies — run npm audit and check for suspicious packages. Use tools like Socket or Snyk.
  2. Use --ignore-scripts for installs from untrusted sources: npm install --ignore-scripts.
  3. Never use --dangerously-skip-permissions or --yolo with AI CLIs. They exist for controlled environments, not production.
  4. Enable two-factor authentication on npm and GitHub. Use hardware keys if possible.
  5. Monitor your GitHub repos for unexpected public repos or renamed repos.
  6. Isolate your development environment — use containers or VMs for package installation testing.