When the AI Deals You a Marked Deck: Vibe Coding's npm Supply Chain Problem

TL;DR

• The npm ecosystem absorbed several major supply-chain waves between September 2025 and May 2026, including multiple self-propagating Shai-Hulud variants that collectively compromised well over 1,000 npm packages (counts vary by source and method)
• Vibe coding amplifies the blast radius: AI assistants can pull dependencies developers never meaningfully review, including packages that don't exist until attackers register them
• "Slopsquatting" exploits AI package hallucinations — research found ~20% of LLM-suggested packages were fictional, and a large share of hallucinated names were repeatable under identical prompts
• Shai-Hulud variants commonly abused npm lifecycle hooks like preinstall/postinstall, but later waves also abused CI/CD release workflows and OIDC-based trusted publishing
• Defenders need lockfiles, provenance checks, version cooldowns, and manual review of any AI-suggested dependency — speed is now a liability

Every poker player knows the moment: you're holding pocket aces, you push all-in, and the river card hands the pot to someone who shouldn't have been in the hand. That's a bad beat. In software supply chains right now, AI-assisted developers are getting bad-beat at scale — and the dealer is the AI assistant they trusted to play the hand for them.

Between September 2025 and May 2026, the npm registry experienced a sequence of major supply-chain attacks. Shai-Hulud-linked waves collectively compromised well over 1,000 npm packages, depending on source and counting method [1][2][3]. None of these attacks required a zero-day. They exploited a much older vulnerability: many developers no longer meaningfully review what they install. The rise of AI-assisted rapid development ("vibe coding") — Karpathy's term for prompting an LLM, accepting the output, and shipping without line-by-line review — turned that vulnerability into a goldmine [4].

This is the intersection where AI security and software supply chain security stop being separate disciplines.

Key Timeline: The 2025–2026 npm Supply Chain Attack Waves

2025 Marked a Turning Point for npm Supply-Chain Worms

Before 2025, much of the npm threat model still looked nuisance-grade: typosquats, credential phishing, the occasional crypto-miner. Then late summer and fall 2025 changed the math — through three distinct campaigns, not one.

First, on August 26, 2025, the s1ngularity attack hit the Nx build platform — an early GitHub Actions compromise that set the template for what came next. Attackers exploited a GitHub Actions injection vulnerability to steal an npm publishing token and pushed malicious npm package versions of Nx and supporting plugins for roughly four hours [19]. The payload was notable for weaponizing local AI CLIs (Claude, Gemini, Q) to assist reconnaissance and exfiltration — likely one of the first documented cases of malware leveraging AI assistant CLIs this way [19].

Then on September 8, 2025, a separate phishing campaign compromised the maintainer behind chalk, debug, ansi-styles, and 15 other utility packages — dependencies that collectively serve 2.6 billion weekly downloads [5]. The payload was a browser-based crypto-clipper that swapped wallet addresses in flight [9]. Vercel identified 70 affected teams across 76 unique projects, purged build caches, and notified impacted customers [6]. This was a serious supply-chain compromise but is not itself a Shai-Hulud variant.

A week later, on September 15, 2025, the Shai-Hulud worm appeared — one of the first widely reported self-propagating npm malware campaigns [7]. After compromising a maintainer's machine, it:

1. Ran during install hooks, often before normal review or CI validation completed
2. Deployed TruffleHog to scan the host for secrets [1]
3. Harvested GitHub Personal Access Tokens, npm tokens, and cloud service credentials
4. Used those tokens to publish malicious versions of other packages the maintainer owned

CISA issued Alert AA25-266A directing organizations to rotate developer credentials and enforce phishing-resistant MFA across npm and GitHub [7]. Reported counts for the first wave ranged from roughly 187 to 500+ affected packages as investigations expanded [7][20].

The campaign continued evolving. In November 2025, Shai-Hulud 2.0 ("The Second Coming") hit packages from projects including Zapier, ENS Domains, PostHog, Postman, and AsyncAPI — with researchers reporting roughly 600–800 compromised packages and over 25,000 GitHub repositories created to exfiltrate stolen secrets [8][21]. Researchers reported the wave included a "dead man's switch" capable of wiping developer home directories under specific conditions [8]. Microsoft published detection and remediation guidance on December 9, 2025 [10]. On May 11, 2026, a Mini Shai-Hulud resurgence compromised 169-170+ npm packages and at least two PyPI packages, with counts still evolving — one of the first major coordinated supply-chain waves observed across both npm and PyPI simultaneously [10][22].

The TanStack compromise within that May 2026 wave deserves special attention as a case study in OIDC token theft and CI/CD pipeline abuse. Between 19:20 and 19:26 UTC on May 11, attackers published 84 malicious versions across 42 @tanstack/* packages [22][23][24]. According to TanStack's own postmortem and StepSecurity's analysis, the attack didn't rely on stolen maintainer credentials. Instead, attackers chained a pull_request_target "Pwn Request" pattern with GitHub Actions cache poisoning, then extracted an OIDC token from the runner process memory at /proc/<pid>/mem [23][24][25]. According to TanStack and StepSecurity, the malicious packages were published under TanStack's legitimate release identity and carry valid SLSA provenance attestations [22][23][24] — one of the clearest public examples of attackers abusing trusted publishing infrastructure to generate malicious packages with valid provenance.

These campaigns don't need fundamentally new exploitation techniques because the ecosystem keeps dealing them fresh attack paths.

Why Vibe Coding Is the Worm's Best Friend

Vibe coding's premise — describe intent in natural language, accept the AI's code, ship — collapses the review step that would catch a poisoned dependency. Three failure modes compound:

Unreviewed transitive dependencies. When Claude, Cursor, or Copilot adds import axios from 'axios' to your file, it's also implicitly adding everything axios depends on, at whatever version your resolver picks. AI assistants can introduce dependencies developers may not meaningfully review, especially in fast iteration workflows [11]. Across 5,600 vibe-coded applications studied by Autonoma, researchers identified over 2,000 vulnerabilities, 400+ exposed secrets, and 175 instances of exposed PII [12].

Loose version specifiers and dependency drift. AI-generated examples frequently use wildcards, latest tags, or open-ended ranges. AI-generated projects often need explicit dependency and lockfile policy checks, because dependency drift is one of the supply-chain risks that pre-publish security gates like VibeGuard try to control [13]. That means when attackers publish a malicious update to a popular package, your next npm install may pull it.

Speed-over-trust culture. The whole appeal of vibe coding is bypassing the tedious parts. Dependency review is exactly the tedious part. As the Seattle Times' engineering team put it in their December 2025 pnpm postmortem: they weren't compromised by Shai-Hulud only because they happened not to run npm install during the attack window [3]. "Luck isn't a security strategy."

The Slopsquatting Cherry on Top

Here's where it gets ugly. In April 2025, PSF developer Seth Larson coined the term slopsquatting: attackers don't wait for typos — they wait for AI hallucinations [14].

Research from UTSA, Oklahoma, and Virginia Tech (USENIX Security 2025) tested 16 LLMs across 576,000 generated code samples. 19.7% of recommended packages didn't exist [15][16]. Open-source models like CodeLlama and DeepSeek hallucinated at around 21.7%; commercial models like GPT-4 still hit around 5.2%. The really nasty finding: when researchers re-ran prompts that triggered hallucinations, 43% of hallucinated package names reappeared consistently across repeated prompts [17]. That's not noise — it's a predictable attack list.

Attackers register the hallucinated names. The next developer accepts the AI's suggestion. Game over. As Trend Micro's June 2025 research documented, even agentic tools with real-time validation (Claude Code CLI, Codex CLI, Cursor with MCP) reduce but don't eliminate the problem [18].

How to Stop Donking Off Your Stack

You don't need to quit AI-assisted development. You need to stop letting the AI play your hand unsupervised. Practical controls:

Pin everything and use lockfiles. Commit package-lock.json or pnpm-lock.yaml. Reject pull requests that add dependencies without lockfile updates. Lockfiles reduce surprise upgrades, but they do not protect maintainers or fresh installs by themselves — they're a layer, not a fence.

Prefer provenance, detect trust downgrades. npm now supports package provenance via Sigstore. Use package-manager and CI policies to prefer provenance, detect trust downgrades, and block risky releases where tooling supports it [3]. The s1ngularity attack was published without provenance because attackers didn't have CI/CD access — Nx maintainers spotted the compromise partly because their malicious packages lacked NPM provenance signing [19]. That's a signal you can act on. Note, however, that the TanStack wave produced packages with valid provenance via OIDC token extraction [22][24] — provenance is a strong signal, not a guarantee.

Add a release cooldown in production CI environments. Refuse to install package versions younger than 24–72 hours. Most supply chain attacks are detected and pulled within that window. This may delay urgent security patches, so exceptions and allowlists are still needed. pnpm has built-in support; you can approximate it in npm with Renovate.

Block preinstall and postinstall scripts by default. Known Shai-Hulud variants commonly abused npm lifecycle hooks such as preinstall/postinstall, so disabling scripts by default in CI is a strong mitigation [1]. Use npm install --ignore-scripts and review scripts on an allow-list basis.

Run an SBOM tool. Generate SBOMs with Syft, CycloneDX, or SPDX on every build. If something gets in, you need to know what's in your supply chain by name and version [11].

Verify AI package suggestions before installing. When your AI assistant suggests a package, search the registry, check download counts, review the maintainer history, and confirm it isn't a recently-registered name. Tools like Socket and Snyk Advisor surface this in seconds. Treat any AI-suggested install like an unknown player raising into your big blind — figure out who you're playing before you call.

Rotate developer credentials and enforce phishing-resistant MFA. CISA's AA25-266A guidance is the floor, not the ceiling [7]. WebAuthn or hardware keys on GitHub and npm accounts would have neutered most of the maintainer-account compromises in this attack chain.

If you're building real defensive skills for this kind of threat model, both HackTheBox and TryHackMe have updated supply chain and CI/CD attack paths worth working through.

What This Means for E-commerce and Shopify/WooCommerce Agencies

If you're running a development agency that ships Shopify themes, custom WooCommerce plugins, or headless e-commerce frontends, this threat model lands harder than it does on most teams. Three reasons:

Heavy AI-assisted development. Agency workflows reward speed. AI-generated theme components, Liquid snippets, and React storefront code ship fast — which is exactly the workflow that skips dependency review.

Heavy npm exposure. A modern Shopify Hydrogen storefront, a Next.js headless WooCommerce frontend, or a custom checkout component pulls hundreds of transitive dependencies. The TanStack compromise hit @tanstack/react-router — a package used in many React-based e-commerce frontends. chalk and debug are in nearly every Node-based build pipeline you ship to a client.

CI/CD automation with limited governance. Agencies often run dozens of client deploy pipelines under shared GitHub organizations, with credentials reaching client Shopify Partner accounts, payment provider sandboxes, and live store admin tokens. One compromised preinstall script on one client project can exfiltrate credentials reaching every client you serve if credentials are shared or poorly segmented.

Practical agency-level controls: pin and lockfile every client repo, run SBOMs at the agency level (not per-project) so you can audit cross-client exposure quickly, set ignore-scripts=true as your default .npmrc policy, segment client credentials so one breach doesn't cascade, and treat AI-suggested dependencies as code review items every time. The cost of getting this wrong isn't just one site — it's your entire client book showing up in the same exfiltration repo.

Key Takeaways

1. The npm ecosystem entered a high-consequence threat era in 2025 — Shai-Hulud appeared as one of the first widely reported self-propagating npm malware campaigns and spawned multiple named variants through May 2026.
2. Vibe coding compounds supply chain risk by skipping the review step that would catch poisoned dependencies, loose version pins, and hallucinated package names.
3. Slopsquatting is real, measurable, and predictable — ~20% of AI-generated package suggestions are hallucinations, and a large share repeat reliably under identical prompts.
4. Lifecycle hooks aren't the whole story anymore — later waves like the TanStack compromise abused CI/CD release pipelines and OIDC trusted publishing, producing malicious packages with valid provenance.
5. Lockfiles, provenance signals, cooldowns, and SBOMs are rapidly becoming baseline controls for modern JavaScript software supply chain security — and none of them alone are sufficient.

FAQ

Is it safe to use AI coding assistants at all right now?

Yes, but with controls. The risk isn't AI-generated code itself — it's accepting AI-suggested dependencies without verification. Treat every import statement the AI adds as a code review item, not a freebie.

How do I know if I was hit by Shai-Hulud?

Check for suspicious GitHub repositories containing exfiltrated secrets, unexpected package version bumps, new lifecycle scripts, unusual GitHub Actions activity, and outbound connections to known attacker infrastructure [10][7]. For the November 2025 wave specifically, multiple researchers documented that exfiltration repositories carry a fixed description marker — searching across your GitHub org for that marker has been a widely-used detection technique [26][27].

What's the difference between typosquatting and slopsquatting?

Typosquatting bets on human typos (e.g. crossenv vs cross-env). Slopsquatting bets on AI hallucinations — package names that don't exist until an attacker registers them based on what LLMs predictably suggest [14][17].

Does provenance actually help?

Yes, but with caveats. Provenance reliably catches attacks where attackers can't reach legitimate CI/CD pipelines — like s1ngularity, where the malicious packages were detected partly because they lacked provenance signing [19]. But the TanStack wave demonstrated that attackers who can extract OIDC tokens from a legitimate pipeline can produce malicious packages with valid provenance attestations [22][24]. Provenance is a strong signal, not a guarantee.

Should I switch from npm to pnpm or yarn?

Switching package managers alone does not solve registry-level supply-chain risk — the malicious packages are in the registry, not the tool. pnpm offers useful security controls such as minimum release age and stricter config options, but the same defensive patterns can be applied with npm plus tooling like Renovate.

Sources

1. Splunk — Defending Against npm Supply Chain Attacks: A Practical Guide to Detection, Emulation, and Analysis — splunk.com
2. Unit 42 / Palo Alto Networks — The npm Threat Landscape: Attack Surface and Mitigations — unit42.paloaltonetworks.com
3. pnpm — How We're Protecting Our Newsroom from npm Supply Chain Attacks — pnpm.io
4. Karpathy, A. — Original "vibe coding" post, X, February 6, 2025
5. Palo Alto Networks — Breakdown: Widespread npm Supply Chain Attack — paloaltonetworks.com
6. Vercel — Critical npm Supply Chain Attack Response — September 8, 2025 — vercel.com
7. CISA — Alert AA25-266A: Widespread Supply Chain Compromise Impacting npm Ecosystem — cisa.gov
8. GitLab — GitLab Discovers Widespread npm Supply Chain Attack — about.gitlab.com
9. Trend Micro — What We Know About the NPM Supply Chain Attack — trendmicro.com
10. Microsoft Security — Shai-Hulud 2.0: Guidance for Detecting, Investigating, and Defending — microsoft.com
11. Checkmarx — Vibe Coding Security: Risks, Vulnerabilities, and Secure AI Coding — checkmarx.com
12. Autonoma — Vibe Coding Security Risks: Why 53% of AI Code Has Security Holes — getautonoma.com
13. Kusari — Vibe Coding Is Shipping Vulnerabilities — kusari.dev
14. Larson, S. — Slopsquatting (Python Software Foundation, April 2025)
15. BleepingComputer — AI-Hallucinated Code Dependencies Become New Supply Chain Risk — bleepingcomputer.com
16. Spracklen et al. — We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs — USENIX Security 2025
17. Socket — The Rise of Slopsquatting: How AI Hallucinations Are Fueling a New Class of Supply Chain Attacks — socket.dev
18. Trend Micro — Slopsquatting: When AI Agents Hallucinate Malicious Packages — trendmicro.com
19. Nx — s1ngularity — What Happened, How We Responded, What We Learned — nx.dev
20. Securelist (Kaspersky) — Shai-Hulud worm infects npm packages — securelist.com
21. SOCRadar — Shai Hulud's "The Second Coming": New npm Campaign Hits Zapier, ENS, Postman — socradar.io
22. Snyk — TanStack npm Packages Hit by Mini Shai-Hulud — snyk.io
23. TanStack — Postmortem: TanStack npm Supply-Chain Compromise — tanstack.com
24. StepSecurity — TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages — stepsecurity.io
25. The Hacker News — Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages — thehackernews.com
26. Datadog Security Labs — The Shai-Hulud 2.0 npm worm: analysis, and what you need to know — securitylabs.datadoghq.com
27. Netskope — Shai-Hulud 2.0: Aggressive, Automated, and Fast Spreading — netskope.com