Strengthening supply chain security: Preparing for the next malware campaign

This report summarizes the Shai-Hulud multi-wave supply-chain campaign that abused compromised maintainer credentials and malicious post-install lifecycle scripts to harvest tokens, self-replicate across npm packages, and target CI/publishing pipelines; it highlights rapid attacker iteration, key TTPs, recommended mitigations for maintainers (phishing-resistant MFA, token rotation, sandboxing), and GitHub/npm roadmap plans (bulk OIDC onboarding, expanded OIDC providers, and staged publishing) to harden publication workflows.