Shai-Hulud npm worm

What happened

Self-propagating worm that compromised 100+ npm packages between mid-September 2024. Initial vector was a credential-stealing payload in `ctrl`, `tinycolor`, and several `ngx-bootstrap` packages — the stealer exfiltrated maintainer npm tokens, which the worm then used to publish trojanized versions of every package those maintainers controlled. Several Crowdstrike and other security-vendor-adjacent packages were affected. The campaign name comes from a string in the worm payload referencing Dune's giant sandworms. Affected developers should treat any machine that installed an affected version during the campaign window as fully compromised: rotate npm tokens, GitHub PATs, AWS credentials, and any other secrets stored on disk.