Why does this keep happening?

Tan Stack got tan hacked. Versel got their walled garden penetrated. After stealing content for years, UDMI got their content stolen. Uh, Lovable, they got their vibes snatched. And now npm and pi have been hit with a major supply chain attack targeting several popular JavaScript and Python packages. This is Shy Labou. I mean uh shy halude which is the latest worm in a series of shy hallude worms. The original shy hallude worm showed up back in September 2025 which feels like a century ago at this point and where malicious versions of multiple popular packages were published to npm. They contained the post install script that harvested sensitive data uh and sent it to GitHub public repos named Shy Hallude. So that's why we have the name Shy Halude here. I also think that's a Star Star Wars thing. Shy Hallude. That's a sick hardcore band. If you're into hardcore music, look up Shy Halude. Sick band. It's It's actually from It's actually from the movie uh Dune, by the way, in case you were wondering. We're just going to just going to run through uh pissing off people here. The new Shy Helude 2.0 dropped in November 2025 and Post Hog got their hog posted and uh Zapier got zapped and Postman also got their hog posted with the new Shy Hallude. And then it struck again Shy Hulude 3.0 in December of 2025. And now I don't know why they don't call this one Shy Hulu 4.0. You know, but this is miniude. Yes, this is mini shy. Yes, right. It is mini. It's a little mini worm. Uh Wes, uh Shy Halude is a worm in Dune, just in case you want to get the reference if you've never seen the Dune movie, which I assume. Uh this is insane. We're going to go through what happened, how it happened, what did it do, and how you can protect yourself. But like, man, I'm tired. This seems to be happening every single day and how it happened is is actually nuts. So what happened the publishing sequence of tanstack all of the tanstack packages along with um several other packages in the ecosystem were compromised and they were able to publish a a new update of the package that then had like a post install script in it and then that went in and harvested credentials. But how it actually happened, this was not like some maintainer got his like password stolen or um something was run on their computer and it lifted credentials. How it actually happened was was absolutely nuts. So what happened was GitHub actions have caches and when you send in a pull request to a repo, that repo may have several GitHub actions that are in there. So in the case of Tanstack, they had ones that would check uh the bundle size, make sure you're not accidentally sending in a pull request that's making the bundle size much bigger. And then there was other ones that would um like check speed. You know, there's there's often there's things that will simply just run every single time that someone sends in a pull request. Then there's other ones that are a little bit more elevated, which is like you don't actually want to like for example, if someone were to pull request against a syntax website, it we would have to approve that before it actually um did a a pull request deployment because they could be sending in code that would would do malicious stuff. Um but what happened here is they took advantage of the fact that these GitHub actions have a shared cache. Um, and I guess when you're making a GitHub action, there is a pull request, you can either have a pull request hook or a pull request target. And when you use pull request target, they then have a shared cache between other ones. And this took advantage of that by poisoning the PNPM store directory. So, it built a brand new thing and then it took its malicious code and injected it into the PNPM store. um in a place where when something legitimate was merged that the sort of the elevated release.yimml workflow would run it and it would it would know to actually look up this thing and and run it. So they poisoned the pnpm store cache and then turns out they just deleted all the code and then it closed the repo but that PNPM store cache was still poisoned. Then when a legitimate thing was merged, the release GitHub action was run and it looked it up. It had the poison cache and it it ran this script that was in there. It that then failed. However, in the like cleanup code of it failing, it was able to capture what's an OIDC token essentially just like a JSON web token for npm. And then that was that was how they were able to then capture a legitimate npm publish token that can then be used to publish anything. Once you have that, you can then then you can go ahead and publish more compromised software straight to npm, which is nuts. Like like I'll say this again, this was not somebody getting any of their credentials to um stolen at all. It was simply just somebody using the fact that they realized you could the pull request target was a potential target, right? Yeah. Yeah. Yeah. And and this has been a known thing. I mean this is something that again the original shy hallude did as well I believe. So this is not a new attack surface. And uh I I know that like the Century folks have like security review AI skills and I'll link to those below, but in their security review AI skill that's been there for it says do not use this particular poll request target. I actually did a quick search on all my repos because I've uh vibe coded enough GitHub actions because I sincerely hate writing GitHub actions that I was like maybe I do have this somewhere but I don't luckily. Man, and the crazy thing about this is it was like like it was a worm. So once one of them was compromised, it was able to self-propagate and publish through other packages and then it sort of just like ate its way through the ecosystem and it eventually got its way into like the Python um package management system as well which is absolutely nuts to see. Yeah. And it it's again, you know, we're talking about tanstack here. This has hit a lot of packages this morning. Um, and this is just at the time of recording this a ton, not only just the tan stack, there's a ton of UI path packages, which I had never heard of UIP path before. Uh, but they have a lot of packages and they got hit. Other popular packages are some uh shoot what was the one that I was Oh, mistrial. Mistrol. Mistrol. Mistrol. I always call it mistrial. I don't know why. Mistrol. Mistrol got hit uh Semox agent MCP. There's just a number of of different packages that got hit that. So, this is not just are you using Tanstack or not. And I would imagine by the time all is said and done here, there will be even more. One interesting thing about the the worm is that it tried to inject itself into other places that would auto run. So like like at the end of the day once this thing was published um to to the thing it like once the end user would then install it it would have like a a post install script that it would install from like a different location and and then it and then it would run some stuff and try to harvest credentials. So it was looking sorry I'm I'm really really blown out on my camera here. It would it would try to harvest like different credentials from AWS and what it just looking for stuff on your computer. I'm sure that there was some end game here. Probably half for we need more compute to run our hacks on and then half for we're actually looking for compromised information. But one thing it did do is it stuck stuff into other places that will automatically run code. So um it stuck it into the cloud settings JSON and the VS Code tasks.json which when you fire up cloud or or fire up VS Code, this will automatically execute. Yeah. I mean, this is how worms operate, right? They move from place to place. They dig thems. But another crazy thing is that the the hackers installed a dead man switch. So, if you did end up installing this thing on your computer, it would constantly ping out to the GitHub API to see if your GitHub token had been like rotated or if you had revoked your GitHub token. And if you had revoked your GitHub token, it would run rmrf on your home directory. Yeah. Yeah. That that stuff is freaky cuz I I feel like there's just so many people who would not even know that this was on their machine. Maybe it's on their machine. They run it and then goodbye uh to to your life there. Man, that that is uh Yeah, it's a scary thing. to to think about and that that dead man switch is uh it's ruthless is what it is. Have backups folks. Have backups. Um let's talk about like how do you actually protect yourself? Uh so if to stop this thing from from happening to you like I think like partially on the like maintainer side obviously don't use that pull request target in your your GitHub action, right? Like I I I feel for all the folks that work on Tanac cuz they have done so much to make sure that they were secure. But and it wasn't even that like somebody's computer was hacked. It was simply just some this like poisoning of a shared cache. Uh which is nuts to think about. But like on like a user point of view, you know, like how do you we're Well, let's stick on the maintainer for just a second. So obviously don't use that. There is a set of security review skills from the uh uh sentry team that are really worth checking out. I also use those in my S stack skill tree. So if you're using AI, the security reviewer skill can definitely help if you are using AI for stuff. There's also a GitHub actions scanner uh made by SN YK Labs who does a lot of Snick Labs does how to pronounce anything today. I just say SNYK. I just I just that's not a word to me. That's a fake work. Um Snick from Snick Labs. This uh this will scan your uh GitHub actions for security issues which they they do great work over there. So that's an awesome thing to have in your tool. There's there's kind of like three big companies in this space right now. There's there's six snick security, there's socket.dev, which we've we've had on the podcast. Um, and then there's also the folks that did actually sort of release the thing was step security. So I saw socket they socket basically scans every single npm re package that has ever published and then they have whole we talked to about how he does it, right? They have a whole bunch of stuff that they look for common things. They look for obfuscated code. They look for they have a whole list of things to actually look for. And their system was able to detect it within six minutes, he said, which is is great. And you you have to wonder like why is why is npm not doing this? You know, I think something something's got to change in this. it this was not really an an npm issue, but also like this is it's such a big ecosystem. Absolutely everything uses npm these days and it's such a huge target that they're obviously going to be targeted by these these hackers. So, I really think npm needs to step up here and implement some some bigger bigger things because what they have like two-factor authentication uh now every time you want to publish something and and that seems to be like the only thing they've done in the last little while. I'm sure they've done more but like they really need to be doing something like step security or um sockets doing. Yeah. from as a as a user though uh as a consumer of npm packages and let me tell you open up wide uh because you're getting gigabytes of npm packages on your machine uh what can we do to uh to help ourselves here I think one of the things that people have been kind of going around and talking about is the minimum release age settings I use PNPM instead of npm as my package manager and PNPM has this on by default so if you are a PNP PM user by default in the latest version only packages that are 24 hours old can be installed. Uh so that's one thing. PNPM actually also has a it blocks scripts from running by default. There's like a very annoying thing that pops up and you have to approve the scripts. Well, this is why you have to approve the scripts from running. Uh it's there to save you. So, PNPM can feel obnoxious at first, but again, that is saving your ass. And also, uh, PNPM isn't the only package manager with this minimum release age setting. All of them have it, but they don't have it on by default. So yarn uh yarn has it with npm minimal age gate minimum release age in bun and min release age in npmrc which can we just these aren't like we got we got uh hyphenate hyphenated case here we got camel case we got all four different can we just agree on a property name for this setting like who who decided that npm minimal age gate eight was a good property property name for that setting. That's that's ridiculous. PNPM. Um, let's just all standardize on the minimum release date. PNPM also has another setting which is turned on in version 11, which is is relatively new. So, if you're using an older version of PNPM, which I think a lot of people probably are, um, it's called block exotic subdepths, which sounds kind of nice. But essentially, uh, with your package.json, JSON, you obviously can link to npm packages and you say, "Okay, I want version I want load dash version 8, right?" Um, but that's not the only way to to say where these packages come from. You can also link to specific git commits. um you can link to simply just external tarballs and and that that was that's what was happening here where when you installed it, it simply was was linking to a dependency that lived on GitHub. So this this even if this like that this malicious code was not actually published to npm it was just linking off to like a like a git repo somewhere and then the when you npm install then it just goes and downloads that code from the actual resource. So this block exotic subdeps when it's turned on will not allow you to to have those things that are not inside your package JSON um inside of your root package JSON. Like that's often the thing is that like eight levels deep of your package JSON there's some tiny little dependency that half the world is dependent on that thing gets compromised and then all the way up the package chain everything is is compromised. So that's another little step and I think that's PMPM is doing a great thing for the the community here by just turning these things on by default. Yeah, it kind of feels like they're the only ones who care enough to turn those things on by default. Yeah. I don't know. I think also like npm has so many users that I'm sure they say well if we turn this on it's going to break so many things like I'm sure they they have like hundreds of times the traffic and 100 times the users and like PMP is used mostly by highly technical users but you have to think like npm is used in like home assistant and in everyone's vibe coded apps like I'm I'm sure half the people using npm have no idea what npm And I'm sure if they flip any of these switches, it will just break a certain subset of of uh of people's apps. Yeah, I mean I I hear you on that, but like you have to wonder if these types of hacks are specifically targeting vibe coders who don't they just tell their agent to do whatever. Their agent installs a whole ton of stuff and then they are none the wire. I think it's targeting anyone they can get get access to, right? Like I think it's targeting anyone they can get access to. But in the same regard, I I feel like these things are way more likely to succeed with systems that are just installing things without Oh, yeah. the the user really knowing what they're bringing into their Well, I don't know. Like I I don't think that like would would this have got me um if I npm installed something if I npm tenant stack at the wrong time yesterday it probably would have got me. Oh yeah. You know totally. And I I think I was just lucky that I didn't install something and like you have these PMP stuff installed in there but sometimes you you npm install something or sometimes you you have an agent rip on a script and it uses npm. So, I I think I certainly could have got by this type of thing. I think anybody could got get got for sure. Uh yeah, I I'm just wondering if like if if the susceptibility is a higher, the hit rate is higher. Definitely. And like they're probably looking for people inside of organizations that are like like vibe coding like apps to to get their work done, you know, like somebody that works at the power plant just whipped up a script to reply to their emails and then bam, you know, now that now they're in at the you got to think like they're probably looking for something deeper or and or they're looking for compute so they can they can do more stuff. Yeah. Yeah. And another thing you can do here, folks, is if you want uh you can start using dev containers. CJ uh made a really great video called you should be using dev containers explaining how to get set up with dev containers. Um that could help with the sandbox nature of this all. Right? If this script had access to remove your home directory if it's inside of a container, you're you're a bit safer there. So, um, dev containers are certainly something that can at least protect your home system cuz again, it is, we've talked about this before, but it's wild that so many of us are just yellow running. You know, you install npm and all of a sudden a bunch of stuff's being run on your computer and you probably don't know it. Like, that's that's when you I mean, when you think about it, that's crazy. That's crazy that anybody would agree to that. If you were given a prompt, it's like you you I don't know. Like yeah, I don't know. Reminds me of like Little Snitch. Remember Little Snitch? That's that's the thing is that there's there's got to be some middle ground between I don't want to have to approve every little thing. Little Snitch is annoying. Um but Little Snitch is Little Snitch for people who don't know is a software that that uh scanned your network and like tried to approve or deny like every network request coming out of your machine. was really super useful when you were absolutely not pirating Adobe Photoshop and like Dino does this. Dino requests you approve every single outgoing network connection and file system access and and the reality is that people don't use that cuz it's annoying and they just want to they want to let it rip and and everybody turns on claw dangerously skip permissions, you know, or they use something that doesn't even have a security model. So like there there's got to be some sort of something. And I honestly I think that the the solution to this is going to be that the model actually will be able to detect it detect what is possibly malicious and what is totally fine to run. Um but I think before we get there we're going to have a lot more of these hacks. Yeah. What is that? Mythos the uh the anthropic model. You know what it's funny? I did see a report today, you know, that Mythos that was supposedly this and I'm not saying that Mythos isn't going to be gamechanging in this regard. I I sincerely do not know. Uh but I did see that the uh curl folks were like, "Yeah, Mythos found one security issue, but it also like fake or it also like made up like three of them." So, we weren't super impressed. So, I don't know, Curl though. girl. That's That's a pretty like hardened low-level tool. And for it to find one thing in such a a big thing, that's pretty impressive. Listen, I don't I don't have any any who knows, it could be just drama that they're they're trying to spread, you know? Like, I don't believe much of what a lot of these people say until you actually see it. But in the same breath, I'm I'll say I'm very impressed at everything that has happened in the last six months. All right. Yes. Yeah. Well, uh what when do you think the next hack is going to be? I'm tired. I'm tired. I don't want anymore. Um or one other thing is the socket has a CLI which you can like socket npm install and it just kind of sits in front of your npm command and that will sort of hook into this type of thing because like if socket finds it but you they haven't ripped it out of npm yet then you're you're still going to get got. So I honestly I don't use this myself. I probably should be now that I'm looking at it. Yeah, I think that's the name of the game is I don't use this or do this myself, but I probably should be. Uh, here's something that you might not be using, but you definitely should be, is Sentry at sentry.io. Sentry is awesome for finding bugs, issues, errors, uh, rage clicks, slow parts of your apps. It's really an essential toolkit for you to understand what the heck is going on in your application, whether that is with logs, errors, performance, any of that stuff. It even allows you to monitor things like your agents. So that way you can make sure your spend is under control with how you're using agents. And Sentry just gets new features all the time. So check it out at century.io. Beautiful. All right. Thanks for tuning in. Peace. Sorry.