Nataniil/DigitalVision Vectors/Getty Images
Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
Shai-Hulud is the worst-ever npm JavaScript attack.
This software supply chain worm attack is still ongoing.
Here are some ways you can prevent such attacks.
For those of you who aren't Dune fans, Shai-Hulud are the giant sandworms of the desert planet Arrakis. You do not want to get in their way. Now, it's also the name of a self-replicating worm that compromised at least 180 npm packages, and perhaps as many as 500 of them.
This is a major security crisis for anyone who programs in JavaScript and the JavaScript runtime environment Node.js. JavaScript, by the way, is one of the most popular programming languages. This supply chain attack hits pretty much all JavaScript developers.
Also: This 2FA phishing scam pwned a developer - and endangered billions of npm downloads
That's because Node Package Manager (npm) is JavaScript's default package manager and software registry. It enables developers to install, manage, and share packages -- prebuilt pieces of reusable code called modules -- that their JavaScript or Node.js projects depend on. Npm is the largest such open-source package library. Essentially, everyone who uses JavaScript uses it.
... continue reading