A compromised npm account infected 314 JavaScript packages — including popular ones like size-sensor and echarts-for-react with millions of monthly downloads — with malware that steals credentials for cloud platforms, GitHub, and npm, and uses GitHub as a command-and-control backdoor. The attack, which unfolded in just 22 minutes, follows the same pattern as a similar incident three weeks ago and is part of an ongoing wave of npm supply chain attacks dubbed "Shai-Hulud." Developers who installed affected versions are advised to rotate all credentials, while npm owner GitHub has said little about the continuing series of incidents.
