@advocatemack.bsky.social and I interviewed Daniel Pereira, who was the first to notice the Shai Hulud campaign.

www.youtube.com/watch?v=I--i...

I published a blog post with more data on how the Shai-Hulud attack unfolded. Evidence pointing to the fact that most packages were uploaded by the attackers, rather than being organically infected. And the mistakes the attackers made.

www.aikido.dev/blog/bugs-in...

Good call. We've fixed the versions, and the dev team is having a conversation to see how close to 0 dependencies they can get.

Thanks! 🙏

The attackers behind the S1ngularity/Nx attack strike again, this time with Shai Hulud: a proper self-propagating worm targeting the npm ecosystem.

www.aikido.dev/blog/s1ngula...

Yesterday, @advocatemack.bsky.social and I sat down with @bad-at-computer.bsky.social to discuss the incident that occurred on Monday, in which popular packages like debug and chalk were compromised. Here's my take on it, along with the entire ~45-minute conversation.

www.aikido.dev/blog/we-got-...

Sorry, not sorry 🙃

Le maintainer: “I’ve been pwned. Sorry everyone, very embarrassing.”

Brian Krebs covered the npm supply chain compromise, featuring insights from our own @charlieeriksen.bsky.social, who broke the news.

Full article → krebsonsecurity.com/2025/09/18-p...

@bad-at-computer.bsky.social Would you be open to chatting with us (@advocatemack.bsky.social) for our Bad Dependencies podcast to discuss your experience as a maintainer? I think it'd be fascinating to hear the more "human" side to this :)

The attackers who hit debug and chalk have now also compromised the DuckDB packages. What a weird situation.

www.aikido.dev/blog/duckdb-...

Sleep well! I can't imagine the amount of stress you must have felt. But you did right by the community. Thank you! ❤️

I figured. The process with npm is quite slow and frustrating a lot of the time :(

Yes, the npm abuse/reporting system leaves a lot to be desired.

www.aikido.dev/blog/npm-deb... :)

For reference, simple-swizzle is still compromised :(

Yep, I've been pwned. 2FA reset email, looked very legitimate.

Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.

Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.

What was the email address it came from? Did you invalidate all tokens on the account too? Attackers tend to leave those as backdoors.

@bad-at-computer.bsky.social Hey. Your npm account seems to have been compromised. 1 hour ago it started posting packages with backdoors to all your popular packages.

Introducing Aikido SafeChain 🔒⛓️

SafeChain wraps every npm, yarn, pnpm, and npx install. It blocks malware in real time, with zero changes to your workflow.

Free. Open Source. Powered by Aikido Intel.

Don’t trust your terminal. Defend it.