29 Dec
2025
29 Dec
'25
2:28 p.m.
From: Colin McGregor via Talk <talk@lists.gtalug.org>
So, how can you protect yourself from Shai-Hulud 2.0 when using npm?
npm has always been a security disaster. Not just the two Shai-Hulud worms. That's why I don't intentionally use npm. But things I do use probably do use it. It looks as if folks are trying to address this problem, but fixes are a Work In Process. <https://openjsf.org/blog/publishing-securely-on-npm> I think that all public repos of source have this problem but JavaScript has it worse than most others.