Malicious npm packages just leveled up: this one dropped a self-spreading worm that hijacks repos and leaks secrets the moment it lands. It abuses `postinstall` scripts to run TruffleHog and swipe tokens straight from your codebase. Then it uses GitHub Actions to exfiltrate the loot and auto-publish more poisoned packages—spreading the infection across orgs whenever new tokens pop up in CI/CD. This is the first time JavaScript’s supply chain has seen something this self-replicating. It’s not just malware—it’s an outbreak.