Sonatype reports that a new Shai-Hulud/Miasma wave compromised 281 npm package versions, using install-time payloads to steal developer and CI/CD credentials, publish malicious versions through trusted maintainer channels, and create new risks for AI-assisted development workflows.
New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages
Sonatype reports that a new Shai-Hulud/Miasma wave compromised 281 npm package versions, using install-time payloads to steal developer and CI/CD credentials, publish malicious versions through trusted maintainer channels, and create new risks for AI-assisted development workflows.
Source: Sonatype