A new Shai-Hulud campaign poisoned 172 npm and PyPI packages, including validly SLSA Level 3 provenance. Install or even import can trigger credential harvesting, persistence in Claude Code and VS Code, and CI runner memory scraping. Revoke tokens too soon and a destructive daemon may wipe a home directory. A six-gap CI/CD audit is urged, especially for OIDC scope and AI agent configs.
Swipe through stories, personalise your feed, and save articles for later — all on the app.
