PSA: Careful with NPM today, Shai-Hulud is back and replicating itself across npm.
If you have shared secrets, or npm push access, refresh your tokens. If you’ve pushed to npm in the last day, recheck your dependencies.
Update: Here’s a couple of links to what’s going on with this and lists of what packages are affected:
shai-hulud-2-0-ongoing-supply-chain-attack
shai-hulud-strikes-again-v2
Github CI/CD is the weak link here, outside of npm install scripts.
Gosh..Thanks for the note!
NP. I have to keep up on it anyway - so when I see it I’ll msg if I’m around. Pretty important since we all use npm and it impacted over 12k packages and not small ones either.
Still an issue. I’ll update when I know it’s been cleared up.
I would suggest that in the future to start eyeing deno as an alternative.
It only gets worse. Not 100% clear on the first, and now React + Next.js has a bad one. So, update your code and get the patches where possible. This is a shell vuln.
react CVE-2025-55182
next.js CVE-2025-6478
This can affect any that are using React Server Components with App Routing. Including Vite. Make sure to update to latest and patch up.
shoutout to my gut for steering me clear of node ;p
It’s more of a community lunacy + laziness.. React’s issue, should never have happened. I mean they’re paid big bucks to tout themselves as super devs. They should’ve caught that they were allowing unvarnished access to page objects or worse with what they left open.