Self-replicating worm hits 180+ npm packages in (largely) automated supply chain attack
A supply chain worm called **Shai-hulud** is loose in the npm wild. It's not just lurking—it’s replicating through npm packages, lifting developer tokens, and injecting tainted versions of real, maintained libraries. Once in, it grabs GitHub secrets, flips private repos public, and piggybacks on Gi..