Sep–Nov 2025 · npm
Shai-Hulud
A self-replicating worm tore through the npm ecosystem: it stole publish tokens, then republished itself into every package they could reach. 1,000+ packages hijacked, ~25,000 GitHub repos exposed — the first proof open-source malware can spread on its own.
StepSecurity · Wiz · Sonatype 2026