Shai-Hulud: When a Supply-Chain Incident Turns Into a Worm by Lucie Cardiet

**Shai-Hulud** is a supply-chain worm targeting JavaScript development workflows that runs automatically when infected packages are installed, evades Node-focused defenses by using the Bun runtime, harvests a wide range of credentials and cloud metadata, publicly exfiltrates secrets by creating repositories under victims' GitHub accounts, spreads through compromised maintainers and repositories, installs self-hosted GitHub Actions runners for durable persistence, and includes an optional wiper — making it a stealthy, high-impact threat that leverages normal development trust to scale.