Shai-hulud is a call to action on AppSec

Trigger.dev's post-mortem examines the Shai-hulud npm worm incident in which a malicious package used preinstall scripts to steal developer GitHub tokens and propagate across hundreds of npm packages and thousands of repositories, allowing attackers to clone 669 repositories, create exfiltration repos, and attempt automated malicious pushes; GitHub branch protections limited the worst damage. The report outlines mitigations Trigger.dev adopted (disabling npm scripts, moving to ephemeral OIDC tokens, enabling branch protection, upgrading to npm 10) and emphasizes organization-wide supply-chain controls, package provenance/attestation, binary analysis, dependency pinning, runtime monitoring, and elimination of long-lived local credentials.