A supply chain worm called **Shai-hulud** is loose in the npm wild. It's not just lurking—it’s replicating through npm packages, lifting developer tokens, and injecting tainted versions of real, maintained libraries. Once in, it grabs GitHub secrets, flips private repos public, and piggybacks on GitHub Actions to spread wherever CI/CD pipelines let it.
