A self-propagating JavaScript worm named “Shai-Hulud” has compromised over 500 npm packages, highlighting a major vulnerability in software development environments. This worm infects packages by stealing developer credentials and cloud tokens through tools like TruffleHog, then injects malicious scripts into other packages managed by compromised maintainers. Once a package is infected, the worm automatically republishes trojanized versions with updated package files to propagate further. It also creates public GitHub repositories exposing stolen credentials and uploads malicious GitHub Actions workflows to maintain persistent data exfiltration. The attack mainly targets Linux and macOS systems, skipping Windows, and manipulates npm’s transitive dependency model to spread widely across the JavaScript ecosystem. This incident underscores the risks inherent in automated package publishing and the software supply chain, prompting urgent calls for stricter security like phish-proof two-factor authentication, token rotation, and continuous monitoring to prevent similar exploits in the future. The worm emphasizes severe supply chain security challenges in modern development workflows.