- 19th September 2025
Shai Hulud weaponised npm’s trust model: stolen maintainer creds, poisoned tarballs, and stealthy GitHub Actions that exfiltrate secrets and persist in CI. 500+ packages were touched in days, starting with @ctrl/tinycolor. This analysis maps the blast radius and delivers a practical remediation plan—pin versions, block direct npm with a proxy, rotate tokens, and strip backdoor workflows—grounded in ASPM and reachability.
Francesco Cipollone