Shai-Hulud

GitHub outlines changes to harden npm after self-replicating worm incident

Cybercrime, News, Risk, Vendors, Vulnerabilities

September 25, 2025

GitHub said a self-replicating “Shai-Hulud” worm compromised maintainer accounts and injected malicious post-install scripts into npm packages, and outlined changes including required 2FA, short-lived granular tokens and trusted publishing to harden npm’s supply chain.