Security14. Mai 2026·11 min read
Mini Shai-Hulud: the npm Supply Chain Attack That Defeated Every Trust Signal
Three small misconfigurations chained into 84 malicious package versions, published by the maintainer's own pipeline, signed with valid provenance, and undetectable by every trust signal the JavaScript ecosystem currently offers.