Shai-Hulud: The First Self-Propagating npm Supply Chain Worm In September 2025, the JavaScript community experienced a watershed moment: the Shai-Hulud worm swept through npm, infecting over 100 popular packages. This attack was not just another instance of mal... DevSecOps GitHub incident response JavaScript malware npm security supply chain