npm Under Siege: The “Shai-Hulud” Worm Attack

Full Description

The supply chain attacks on npm continue and this week, Crowdstrike’s npm packages fell victim to the “Shai-Hulud” worm. Once the malware’s installed it searches for local tokens and cloud credentials, inserting GitHub Action workflows into other repos, and exfiltrates sensitive data to hardcoded webhook endpoints. To mitigate the potential of downloading these malicious packages, consider pinning specific package versions in JS projects, using 2FA to publish new package versions to npm, and taking advantage of new features pnpm is adding like minimumReleaseAge that delays installation of newly released dependencies and disabling post install scripts from packages by default. Also this week, WebAssembly Specification (Wasm) released v3.0. This version dramatically expands the memory Wasm apps can use, supports multiple memory usage, and now allows garbage collection. It’s been a while since we last covered LLM options for folks who want to run their own models locally or in the browser, so Jack gives a quick rundown of some of the best options out today. There’s WebLLM from MLC, MediaPipe from Google, and ONNX from Microsoft, and although none are easily interchangeable with another, if cost, privacy, or working offline are concerns of your LLM-enabled app, these may be good options to explore. In bonus news, GitHub’s created an official MCP registry making it easy to find, install, and start using MCP servers with any MCP-capable AI agent. And, much to everyone’s surprise, Microsoft Paint is still around, and getting its own Photoshop-like project files? Yes indeed, Paint creations, which now have such features as transparency mode and layers, will soon be able to be saved as .paint files so users can pick up right where they left off, just like Photoshop. Better watch your back, Adobe.