In case you missed the latest WatersWorks blog on ADTmag, a self-replicating worm just tore through npm. John K. Waters lays it all out here:
https://adtmag.com/blogs/watersworks/2025/10/the-worm-that-ate-javascript.aspx
The “Shai-Hulud” supply chain attack didn’t just compromise a few packages. It turned devs into unintentional malware distributors by stealing tokens and pushing poisoned updates to dozens of popular packages. One dev gets owned, and suddenly half the ecosystem’s infected. CrowdStrike got hit. GitHub had to step in with a major cleanup.