npm

4 posts

npm was never a trust boundary

Technical analysis of the Shai-Hulud npm supply chain attack hitting 314 packages including echarts-for-react, size-sensor, and timeago.js.

May 19, 2026

Article

Shai-Hulud worm compromises 314 npm packages

Shai-Hulud npm worm hits 314 more packages via compromised maintainer accounts. Mechanism, telemetry gaps, and residual exposure analyzed.

May 19, 2026

Article

Axios Compromise: What Actually Happened

An analysis of the axios supply chain compromise, focusing on how compromised credentials enabled malicious code distribution and why trust in software registries without verification is a systemic risk.

Apr 3, 2026

Article

The Advisory Told You to Update. It Didn't Tell You What's Already Running.

Patching the advisory isn't enough. If your CI pipeline ran during the compromise window, the compromised code is baked into your container images and still running. Here's how to find it.

Apr 2, 2026