He who controls the NPM package repository controls the Universe. To maltreat the famous Dune quote (the quote is actually not from the book, but from David Lynch's movie). Anyhow, this new NPM malware is of the worm-variant and is named after Herbert's sandworms »Shai Hulud«, though I find the naming too surface level. Wow, they are both worms. Cool. However, the worms in Dune are part of a delicate self-sustaining ecosystem and not parasites tearing through whatever they can find to spread further and further out.

Alright, I was about to call it quits on the autism, but this is a document about a cyber security vulnerability and Dune lore. Autism will continue until morale improves. So regarding this attack, it is actually pretty clever. Start by tricking a few people out of their credentials, gain covert access to their accounts, and use this to spread your malware to new repositories so they look clean. Keep going and keep harvesting people's credentials. Essentially impossible to be sure any repository you might download will not expose you... Fun times and not the first time the NPM ecosystem reveals its weaknesses. You can't even trust that well-respected code bases are not hit, since one of their 1170 package dependencies might be compromised, in the first degree, second degree, third degree, whatever. Trust nothing; verify everything; get owned anyway.