TanStack got tan hacked. Vercel got their walled garden penetrated.

After stealing content for years, Udemy got their content stolen.

Lovable, they got their vibe snatched. And now Npm and Pnpm have been hit with a major supply chain attack targeting several popular JavaScript and Python packages.

This is shy labouf. I mean, Shai Hallude, which is the latest worm in a series of Shai Hallude worms. The, original Shai Hallude worm showed up back in September 2025, which feels like a century ago at this ESLint, and where malicious versions of multiple popular packages were published to Npm.

They contained the post install script that harvested sensitive data, and sent it to GitHub public repos named Shai Hulud.

So that's why we have the name Shai Hulud here. I also think that's a star Star Wars thing. Shar Shai Hulud. That's a sick hardcore band. If you're into hardcore music, look up Shai Hulud. Sick band.

It's it's actually from it's actually from the movie, Dune, by the way, in case you were wondering. We're just gonna just gonna run through, pissing off people here. The new Shy Halud two point o dropped in November 2025, and, Posthog got their hog posted.

And, Zapier got zapped, and Postman also got their hog posted with the new Shaihilud.

And then it struck again, Shaihilud three point o in December 2025.

And now I don't know why they don't call this one Shaihilud four point o, but this is mini Shaihilud.

Yes. This is mini Shaihilud. Yes. Right. It is mini. It's a little mini worm.

Wes, Shaihilud is a worm in Dune just in case you wanna get the reference if you've never seen the Dune movie, which I assume you have.

This is insane.

We're gonna go through what happened, how it happened, what did it do, and how you can protect yourself. But, like, man, I'm tired. This seems to be happening every single day, and how it happened is is actually nuts. So what happened? The publishing sequence of TANstack all of the TANstack packages along with, several other packages in the ecosystem were compromised, and they were able to publish a a new update of the package that then had, like, a post install script in it, and then that went in in in harvested credentials. But how it actually happened? This was not like some maintainer got his, like, password stolen or, something was run on their computer and it lifted credentials. How it actually happened was was absolutely nuts. So what happened was GitHub actions have caches.

And when you send in a pull request to a repo, that repo may have several GitHub actions that are in there. So in in the case of TanStack, they had ones that would check, the bundle size, make sure you're not accidentally sending in a pull request that's making the bundle size much bigger. And then there was other ones that would, like, check speed. You know, there there's often, there's things that will simply just run every single time that someone sends in a pull request. Then there's other ones that are a little bit more elevated, which is, like, you don't actually want to, like, for example, if someone were to pull Wes against the syntax website, it we would have to approve that before it actually, did a a pull request deployment because they could be sending in code that would would do malicious stuff.

But what happened here is they took advantage of the fact that these GitHub actions have a shared cache.

And I guess when you're making a GitHub action, there is a pull request.

You can either have a pull request hook or a pull request target.

And when you use pull request target, they then have a shared cache between other ones, and this took advantage of that by poisoning the PNPM store directory. So it built a brand new thing, and then it took its malicious code and injected it into the npm p m store, in a place where Wes something legitimate was merged that the Scott of the elevated release dot y m l workflow would run, it it would it would know to actually look up this thing and and run it.

So they poisoned the PNPM store cache, and then turns out they just deleted all the code and then closed the Deno, but that Pnpm store cache was still poisoned.

Then when a legitimate thing was merged, the release GitHub action was run, and it looked it up. It had the poison cache, and it ran this script that was in there. It that then failed. However, in the, like, cleanup code of it failing, it was able to capture what's an OIDC token, essentially, just like a JSON Wes token for NPM. And then that was that was how they were able to then capture a legitimate NPM published token that can then be used to publish anything. Once you have that, you can then then you can go ahead and publish more Yeah. Compromised software straight to NPM, which is nuts. Like Yeah. Like, I'll say this again. This was not somebody getting any of their credentials Node stolen at all. It was simply just somebody using the fact that they realized you could the pull request target was a potential target. Right? Yes.

Yeah. Yeah. And and this has been a known thing. I mean, this is something that, again, the original Shai Halloud did as well, I believe. So this is not a new attack surface.

And, I I know that, like, the Century folks have, like, security review AI skills, and I'll link to those below. But in their security review AI skill that's been there for it says, do not use this particular poll request target. I actually did a quick search on all my repos because I've, vibe coded enough GitHub actions because I sincerely hate writing GitHub actions that I was like, maybe I do have this somewhere, but I don't, luckily. Man. And the crazy thing about this is

it was like like it was a worm. So once one of them was compromised, it was able to self propagate and publish through other packages, and then it sort of just, like, ate its way through the ecosystem. And it eventually got its way into, like, the Python, package management system as well,

which is absolutely nuts to see. Yeah. And it it's again, you know, we're talking about TanStack here. This has hit a lot of packages this morning.

And this is just, at the time of recording this, a ton. Not only just the Sanity stack, there's a ton of UiPath packages, which I had never heard of UiPath before, but they have a lot of packages, and they got hit. Other popular packages are some, shoot. What was the one that I was oh, mistrial? Mistral. Mistral? Mistral? I always call it mistrial. I don't know why. Mistral mistral got hit.

CMUC's agent MCP, there's just a number of of different packages that got hit that so this is not just Yarn you using tan stack or Scott. And I would imagine by the time all is said and done here, there will be even more. One interesting thing about the the worm is that it tried to inject

itself into other places that would autorun. So, like like, at the end of the day, once this thing was published, to to the thing, it like, once the end user would then install it, it would have, like, a a post install script that it would install from, like, a different location, and and then it and then it would run some stuff and try to harvest credentials. So it was looking sorry. I'm I'm really really blown out on my camera here. It would it would try to harvest, like, different credentials from AWS and what it's just looking for stuff on your computer. I'm sure that there was some endgame here. Probably half for we need more compute to run our hacks on and then half for we're actually looking for compromised information. But Node thing it did do is it stuck stuff into other places that will automatically run code. So, it stuck it into the clod settings JSON and the v s code tasks dot JSON, which when you fire up clod or or fire up v s code, this will automatically execute.

Yeah. I mean, this is how worms operate. Right? They move from place to place. They dig their nests.

I mean, there there's a reason why This is nuts. But another crazy thing is that the the hackers installed a dead man switch. So if you did end up installing this thing on your computer, it would constantly ping out to the GitHub API to see if your GitHub token had been, like, rotated or if you had revoked your GitHub token. And if you had revoked your GitHub token, it would run r m r f on your home directory.

Oh.

Oh. Yeah. Oh.

Yeah. That that stuff is freaky because I I feel like there's just so many people who would not even know that this was on their machine. Maybe it's on their machine. They'd run it, and then goodbye, to to your life there. Man, that that is, Yeah. It's a scary thing to to think about. And that that dead man switch is, it's

ruthless is what it is. Have backups, folks. Have backups. Let's talk about, like, how do you actually protect Vercel, so if to stop this thing from from happening to you. Like, I think, like, partially on the, like, maintainer side, obviously, don't use that pull request target in your your GitHub action. Right? Like, I I feel for, all the folks that work on Tansac because they have done so much to make sure that they were secure, but and it wasn't even that, like, somebody's computer was hacked. It was simply just some this, like, poisoning of a shared cache, which is nuts to think about. But, like, on, like, a user point of view, you know, like, how do you we're well Let's stick on the maintainer for just a second. Yeah. So, obviously, don't use that. There is a set of security review skills from the,

Century team that are really worth checking out. I also use those in Wes stack skill tree. So if you're using AI, the security reviewer skill can definitely help if you are using AI for stuff. There's also a GitHub actions scanner, made by SNYK

Labs, who does a lot of SNYK Labs does a lot of is that that that has to be pretty clear. Anything today.

I just say SNYK.

I just I just that's not a word to me. That's a fake word.

Sneak from Snyk Labs, this, this will scan your, GitHub actions for security issues, which they they do great work over there, so that's a awesome thing to have in your tool. There's there's kinda, like, three big companies in this space right now. There's there's six Snyk Security. There's Scott dot dev, which we've we've had on the podcast.

And then there's also the folks that did actually sort of release the thing was step security. So I saw Mhmm. Scott. The socket basically scans every single Npm package that is ever published, and then they have whole we we talked to Faras about how he does it. Right? They have a whole bunch of stuff They look for common things. They look for obfuscated code. They look for they have a whole list of things to actually look for. And their system was able to detect it within six minutes, he said, which is is great. And you you have to wonder, like, why is why is NPM not doing this? You know? That I think something something's gotta change in this.

It this was not really an an NPM issue, but also, like, this is is such a big ecosystem.

Absolutely everything uses NPM these days, and it's such a huge target Yeah. That the they're obviously going to be targeted by these these hackers. So I really think NPM needs to step up here and implement some some bigger bigger things because they what? They have, like, two factor authentication.

Now every time you wanna publish something, and then that seems to be, like, the only thing they've done in the last little while. I'm sure they've done more, but, like, they really need to be doing something like step security or,

socket's doing. Yeah. From JS a as a user, though, as a consumer of npm packages and let me tell you, open up wide, because you're getting gigabytes of NPM packages on your machine.

What can we do to, to help ourselves here? I think one of the things that people have been kind of going around and talking about is the minimum release age settings.

I use PNPM instead of NPM as my package manager, and PNPM has this on by default. So if you are a PNPM user, by default in the latest version, only packages that are twenty four hours old can be installed.

So that's one thing. PNPM actually also has a it blocks scripts from running by default. There's, like, a very annoying thing that pops up, and you have to approve the scripts. Well, this is why you have to approve the scripts from running.

It it's there to save you. So PNPM can feel obnoxious at first, but, again, that is saving your ass.

And, also, PNPM isn't the only package manager with this minimum release age setting. All of them have it, but they don't have it on by default.

So Yarn, yarn has it with npm minimal age gate, minimum release age in bun, and min hyphen release hyphen age in npm RC, which can we just these are, like we got we got, hyphenated case here. We got camel case. We got all four different can we just agree on a property name in this setting? Like, who who decided that Npm minimal age gate was a good property

property name for that setting. That's that's ridiculous. Pnpm let's just all standardize on the minimum release date. PNPM also has another setting, which is turned on in version 11, which is is relatively new. So if you're using an older version of PNPM, which I think a lot of people probably are, it's called block exotic subdepths, which sounds kind of nice. But, essentially, with your package dot JSON, you obviously can link to NPM packages, and and you say, okay. I want version I want Lodash version eight. Right? But that's not the only way to to say where these packages come from. You can also link to specific Git commits.

You can link to simply just external tarballs. And and that that would that's what was happening here, where when you installed it, it simply was was linking to a dependency that lived on GitHub. So this this even if this, like, the this malicious code was not actually published to Npm, it was just linking off to, like, a like, a git repo somewhere. And then the when you NPM install, then it just goes and downloads that code from the actual resource. So this block exotic subdeps, when it's turned on, will not allow you to to have those things that are not inside your package JSON, inside of your root package JSON. So, like, that's often the thing JS that, like, eight levels deep of your package JSON, there's some tiny little dependency that half the world is dependent on.

That thing gets compromised, and then all the way up the package chain, everything is is compromised. So that's another little step. And I think that's Yeah. Pnpm is doing a great thing for the the community here by just turning these things on by default. Yeah. It kinda feels like they're the only ones who care enough to turn those things on by default. Yeah. I don't know. I I think also, like, NPM has so many users that I'm sure they say, well, if we turn this on, it's gonna break so many things. Like, I'm sure they they have, like, a 100 times the traffic and a 100 times the users.

And, like, PMPM is used mostly by highly technical users, but you have to think, like, npm is used in, like, Node Assistant and in everyone's vibe coded apps. Like, I'm I'm sure half the people using npm have no idea what npm is. And I'm sure if they flip any of these switches, it will just break a certain subset of of, of people's apps.

Yeah. I mean, I I hear you on that, but, like, you have to wonder if these types of hacks are specifically targeting Vibe Coaters who don't they just tell their agent to do whatever. Their agent installs a whole ton of stuff, and then they are nonetheless I think it's targeting anyone they can get get access to. Right? Like I think it's targeting anyone they can get access to, but in the same regard, I I feel like these things are way more likely to succeed with systems that are just installing things Yeah. Without the the user really knowing what they're bringing into their Well, I don't know. Like, I I don't think that

like, would would this have got me? If I npm installed something, if I npm 10 stack at the wrong time yesterday, it probably would've got me. Oh, yeah. You know? Totally. And I I think I was just lucky that they didn't install something. And, like, you have these Npm stuff installed in there, but sometimes you you npm install something. Or sometimes you you have an agent rip on a Scott, and it uses npm.

So I I think I certainly could have got got by this type of thing. I think anybody could got get got for sure.

Yeah. I I'm just wondering if, like, if, if if the susceptibility

is a higher, the hit rate is higher. Sanity, like, they're probably looking for people inside of organizations that are, like like, vibe coding, like, apps to to get their work done. You know? Like, somebody that works at the power plant just whipped up a script to reply to their emails, and then bam.

You know? Now that now they're in at the you gotta think, like, they're probably looking for something deeper or and or they're looking for compute so they can they can do more stuff. Yeah. Yeah. And another thing you can do here, folks, is if you want,

you can start using dev containers.

CJ, made a really great video called that you should be using dev containers explaining how to get set up with dev containers.

That could help with the sandbox nature of this all. Right? If this script had access to remove your home directory, if it's inside of a container, you're you're a bit safer there. So, dev containers are certainly something that can at least protect your home system. Because, again, it is we've talked about this before, but it's wild that so many of us are just yellow running.

You Node, you install Npm, and all of a sudden, a bunch of stuff's being run on your computer, and you probably don't know it. Like, that's that's Wes you I mean, when you think about it, that's crazy. That's crazy that anybody would agree to that. If you were given a prompt, it's like, you you I don't know. Like I Yeah. I don't know. Reminds me of, like, little snitch. Do you remember little snitch? That's that's the thing is that there's there's gotta be

some middle ground between I don't wanna have to prove every little thing. Little Stinch is annoying.

But Little Stinch is so annoying. Little Stinch, for people who don't know, is a software that that, scanned your network and, like, tried to approve or deny, like, every network request coming out of your machine. It was really super useful when you were absolutely

not pirating Adobe Photos. And, like, Deno does this. Deno Wes. You approve every single outgoing network connection and file system access. And and the reality is that people don't use that because it's annoying, and they just wanna they wanna let it rip. And and everybody turns on Claude dangerously, skip permissions, you know, or they use something that doesn't even have a a security model. So, like, there there's gotta be some sort of something. And I honestly, I think that the the solution to this is going to be that the model actually will be able to detect it detect what is possibly malicious and what is totally fine to run.

But I think before we get there, we're gonna have a lot more of these hacks.

Yeah. What's that? Mythos? The, the anthropic model? You know what? It's funny. I did see a report today, you know, that mythos that was supposedly this I'm I'm not saying that mythos isn't going to be game changing in this regard. I I sincerely do not know.

But I did see that the, curl folks were like, yeah. Mythos found one security issue, but it also, like, fake or it also, like, made up, like, three of them. So we weren't super impressed. So I don't know. Curl, though. Curl.

That's that's a pretty, like, hardened, low level tool. And for it to find one thing in such a a big thing I I'm That's pretty impressive. Listen. I don't I don't have any Yeah. Any amount of time. Who knows? It could be just drama that they're they're trying to spread. You know? Like, I don't believe much of what a lot of these people say until you actually see it. But in the same breath, I I'll say I'm very impressed at everything that has happened in the last six months. Alright. Yes. Yeah. Well, when when do you think the next hack's gonna be? Oh my gosh. I'm tired. I'm tired. I don't want anymore. June. Or One other thing is the socket has a CLI, which you can, like, socket Npm install, and it just kinda sits in front of your NPM command. And that will Scott hook into this type of thing. Because, like, if socket finds it, but you they haven't ripped it out of npm yet, then you're you're still gonna get got. So I'd honestly, I don't use this myself. I probably should be now that I'm looking at it. Yeah. I think that's the name of the game is I don't use this or do this myself, but I probably should be.

Here's something that you might not be using but you definitely should be is Sentry@sentry.io.

Sentry is awesome for finding bugs, issues, errors, rage clicks, slow parts of your apps.

It's really an essential toolkit for you to understand what the heck is going on in your application, whether that is with logs, errors, performance, any of that stuff. It even allows you to monitor things like your agents so that way you can make sure your spend is under control with how you're using agents.

And Sanity just gets new features all the time. So check it out as century.io.

Beautiful.

Alright. Thanks for tuning in. Peace. Peace.