Shai Hulud Post-Mortems

• Post-mortem of Shai-Hulud attack on November 24th, 2025 - PostHog - The Shai-Hulud attack on PostHog involved a malicious worm exploiting compromised GitHub credentials to publish harmful npm packages, highlighting the need for secure CI workflows and vigilant credential management; developers should check for malicious files, clean caches, and pin dependencies to safe versions.

• GitLab discovers widespread npm supply chain attack - GitLab’s Vulnerability Research team uncovered a large-scale npm supply chain attack using evolved “Shai-Hulud” malware with a “dead man’s switch” that threatens data destruction if disrupted, highlighting the need for robust security measures and dependency scanning in the Node.js ecosystem.

Shai-Hulud Best Practices & Insights

• NPM Security Best Practices: How to Protect Your Packages After the 2025 Shai Hulud Attack | Snyk - The article highlights essential npm security practices post-2025 Shai Hulud attack, emphasizing the need for safe-by-default settings, supply chain hardening, and deterministic installs to protect against remote code execution and credential theft. Key recommendations include disabling post-install scripts, using cooldown periods for new package versions, employing tools like npq for pre-install checks, and ensuring lockfile integrity. Developers are urged to use 2FA, publish with provenance, and reduce dependency trees to minimize attack surfaces, while maintaining vigilance with continuous monitoring and secure development environments.

• NPM security: preventing supply chain attacks | Snyk - Liran Tal’s article on Snyk highlights the growing threat of supply chain attacks in the npm ecosystem and offers practical security measures for developers, such as using tools like lockfile-lint and npq, avoiding blind dependency upgrades, and being cautious of dependency confusion and Trojan source attacks.

• Do not use secrets in environment variables and here’s how to do it better - Storing secrets in environment variables is risky due to poor management, potential leaks through SSR, logs, and process lists, and exposure in Docker images; instead, use secrets management services for better security and compliance.

Supply Chain Security Tools & Resources

• npq - npq is a tool that audits npm packages before installation by checking for vulnerabilities, typosquatting, and other risks, offering a safer alternative to npm install by requiring user confirmation on potential issues.

• GitHub’s lirantal/awesome-nodejs-security: Awesome Node.js Security resources - Liran Tal’s curated list of Node.js security resources offers a comprehensive guide to secure coding practices, tools for static and dynamic analysis, input validation, and protection against common vulnerabilities like CSRF and ReDoS, making it an essential resource for developers aiming to enhance their security posture in the Node.js ecosystem.

Notable Mentions

Cuenv - David Flanagan’s is a Type-Safe environment variables management tool for application configuration that has a general executor to grab secrets at runtime.

Varlock - Varlock is another new secrets management tool aimed at teams, with type-safety built-in and support for multiple environments and secrets vaults.

Dotenvx - Dotenvx marks the next generation of dotenv libraries, focusing on security and type safety for managing environment variables in Node.js applications across teams, based on secret encryption and GitHub repository storage.