Welcome to the first minisode of Devolution where we dive into the devastating Shai-Hulud attack that shook the NPM ecosystem last year.

Nicky Pike breaks down how a self-replicating worm took control of over 25,000 GitHub repositories, exploiting a simple NPM command that every developer runs without thinking. From the rapid spread to its impact on household developer tools, this attack wasn’t just a breach, it was a full-blown software pandemic.

Listen in as we explore how this worm spread like wildfire, evaded detection, and the long-lasting implications it has on developer security. Get ready as we get into zero-day vulnerabilities and what we need to do to protect our development environments moving forward.

Don’t let the next Shai-Hulud catch you off guard.

In this episode, you’ll learn:

1. How Shai-Hulud started as a simple NPM command and evolved into a self-replicating worm.
2. Why big companies like PostHog and Trust Wallet were impacted despite having strong security measures, exposing critical vulnerabilities in their defenses.
3. What you can do next by rethinking your security models to protect against evolving threats like Shai-Hulud.

Episode highlights:
(00:00) 25,000 Repos in 72 Hours, What Happened?

(00:30) The First Self-Replicating NPM Worm

(01:00) Shai-Hulud 2.0 Goes Exponential

(02:00) How It Bypassed Security & Harvested Secrets

(03:00) 400K Secrets Exposed & the Trust Wallet Fallout

(04:15) Why Traditional Developer Security Failed

(05:00) What Teams Must Change Now

Resources:

• Widespread Supply Chain Compromise Impacting npm Ecosystem
• The Shai-Hulud 2.0 npm worm: analysis, and what you need to know
• Shai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets
• Post-mortem of Shai-Hulud attack on November 24th, 2025
• “Shai-Hulud” npm Attack: What You Need to Know
• Inside Shai-Hulud’s Maw: How The NPM Worm Exploits And Propagates