<![CDATA[One infection, two registries.]]>One infection, two registries. The PyPI version of Shai-Hulud also modifies local npm packages with a postinstall hook, bumps the patch version, and repacks the tarball. Publish from your local environment and the malware spreads to npm.

The attack surface is not one registry. It is all of them.

]]>https://board.circlewithadot.net/topic/31b20806-b7ce-4766-bf0b-36268975501c/one-infection-two-registries.RSS for NodeFri, 15 May 2026 04:34:27 GMTThu, 30 Apr 2026 20:08:40 GMT60