npm Security

Security vulnerabilities and threats specific to the Node Package Manager ecosystem and JavaScript package distribution

Shai-Hulud Supply Chain Attack: How npm Tokens Became Million-Dollar Keys

Jan 5, 2026

—

by

Peter Chofield

in Cyber News & Updates

Shai-Hulud demonstrates how compromised npm tokens became a self-replicating worm affecting hundreds of packages, exposing 400,000 developer secrets and enabling the $8.5 million Trust Wallet crypto theft.