Long-form analyses of supply-chain attacks, infrastructure, and the defenses that hold. By the engineers at Happyberg Labs.https://happyberg.com/en-ushttps://happyberg.com/blog/tanstack-mini-shai-hulud/https://happyberg.com/blog/tanstack-mini-shai-hulud/On May 11, 2026, malicious npm artifacts were signed by TanStack's legitimate OIDC pipeline. Sigstore verified them. Provenance-only checks would have accepted them. Release-age cooldowns cover a different failure mode.Wed, 13 May 2026 00:00:00 GMTsupply-chainnpmshai-huludtanstackprovenancerelease-agehttps://happyberg.com/blog/bitwarden-cli-93-minutes/https://happyberg.com/blog/bitwarden-cli-93-minutes/Between 5:57 and 7:30 PM ET on April 22, 2026, the npm tarball for @bitwarden/cli@2026.4.0 was a credential harvester. Bitwarden contained it inside two hours. Any fresh install during that window should be treated as exposed.Sat, 25 Apr 2026 00:00:00 GMTsupply-chainnpmbitwardencheckmarx-campaigncredential-harvesterhttps://happyberg.com/blog/pgserve-cross-registry-worm/https://happyberg.com/blog/pgserve-cross-registry-worm/On April 21, 2026, a self-propagating worm landed on npm as pgserve and then pushed malicious packages to PyPI. One install in one ecosystem became publish access in another.Fri, 24 Apr 2026 00:00:00 GMTsupply-chainnpmpypipgservewormcross-registryhttps://happyberg.com/blog/asurion-impersonation-campaign/https://happyberg.com/blog/asurion-impersonation-campaign/Between April 1 and April 8, 2026, a campaign pushed four npm packages impersonating Asurion and its subsidiaries. The packages later turned into credential harvesters. The patient part is the lesson.Fri, 10 Apr 2026 00:00:00 GMTsupply-chainnpmasuriontyposquatimpersonationcredential-harvesterhttps://happyberg.com/blog/axios-3-hours-on-npm/https://happyberg.com/blog/axios-3-hours-on-npm/On March 31, 2026, axios@1.14.1 shipped with a cross-platform RAT injected through a hijacked maintainer account. The malicious version was live for roughly three hours before npm pulled it. axios is in around 100 million installs per week. Three hours was enough.Fri, 03 Apr 2026 00:00:00 GMTsupply-chainnpmaxiosratmaintainer-compromisehttps://happyberg.com/blog/shai-hulud-2-zapier-posthog-postman/https://happyberg.com/blog/shai-hulud-2-zapier-posthog-postman/Three months after the original Shai-Hulud npm worm, a new wave hit in November 2025. It runs earlier in the install lifecycle, harvests more credentials, and produced over 25,000 malicious GitHub repositories. Zapier, PostHog, and Postman were among the named victims.Fri, 12 Dec 2025 00:00:00 GMTsupply-chainnpmshai-huludcredentialswormzapierposthogpostmanhttps://happyberg.com/blog/shai-hulud-the-self-replicating-npm-worm/https://happyberg.com/blog/shai-hulud-the-self-replicating-npm-worm/On September 15, 2025, a self-replicating worm appeared on npm. It stole credentials, used them to publish more malicious packages, and named its exfiltration repos after the sandworms from Dune.Thu, 18 Sep 2025 00:00:00 GMTsupply-chainnpmshai-huludcredentialsworm