After a prolonged silence, the npm registry administration finally stepped into the situation surrounding the massive supply-chain attack and urgently revoked granular access tokens with write permissions that allowed attackers to bypass two-factor authentication.
These measures were introduced to suppress the fifth wave of the self-replicating “Mini Shai-Hulud” worm targeting Web3 developers, while the platform itself was forced to issue an emergency directive urging users to rotate secrets immediately and migrate to the Trusted Publishing mechanism.
Interestingly, npm’s official response triggered harsh criticism from cybersecurity industry leaders, who argue that the platform is treating symptoms instead of addressing the systemic infection itself.
Too little, too late?
MetaMask lead security researcher Taylor Monahan sarcastically commented on the platform’s actions, noting that the delayed response solves nothing and merely serves as official confirmation of the critical scale of the infrastructure crisis.
Security researcher Moshe Siman Tov Bustan also mocked the registry’s technical approach, pointing out that attempting to stop malware propagation by simply blocking access instead of properly analyzing the malware is fundamentally ineffective.
hey look who decided to finally wake up and do……….something. https://t.co/E2GTHA033s
— Tay 💖 (@tayvano_) May 20, 2026
The core criticism from researchers is that revoking tokens may prevent the publication of new malicious versions, but it is useless for developers whose AI assistants have already been infected. The “Mini Shai-Hulud” worm embeds itself deeply into IDE configurations, continuing to silently steal private keys even after access is blocked on the npm registry side.
For those who missed what this is actually about, the worm adapts itself to the habits of modern developers and turns their own tools against them.
- AI in service of hackers: Once inside a machine, the malware does not simply steal data. It quietly embeds itself into the configuration of AI assistants and the IDE itself.
- Immortal code: Every time an AI agent is launched, a hidden Bun-based script is triggered. Developers can repeatedly wipe projects and delete node_modules, but the worm will continue reinfecting the environment every time the AI assistant is queried.
- Invisible espionage: The worm steals everything valuable, from AWS cloud credentials to crypto wallet seed phrases. The stolen data is encrypted and exfiltrated through GitHub’s official API. For security systems, the traffic appears indistinguishable from normal developer commits.
The current wave reached its peak after attackers compromised the legitimate npm account “atool”. In just 27 minutes, an automated script published 637 malicious versions across 323 unique packages, collectively reaching an estimated 16 million weekly downloads.