Sign up to save your podcasts
Or
Share npm Under Siege: The “Shai-Hulud” Worm Attack
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
npm Under Siege: The “Shai-Hulud” Worm Attack
The supply chain attacks on npm continue and this week, Crowdstrike’s npm packages fell victim to the “Shai-Hulud” worm.
To mitigate the potential of downloading these malicious packages, consider pinning specific package versions in JS projects and using 2FA to publish new package versions to npm.
Also this week, WebAssembly Specification (Wasm) released v3.0. This version dramatically expands the memory Wasm apps can use, supports multiple memory usage, and now allows garbage collection.
It’s been a while since we last covered LLM options for folks who want to run their own models locally or in the browser, so Jack gives a quick rundown of some of the best options out today.
There’s WebLLM from MLC, MediaPipe from Google, and ONNX from Microsoft, and although none are easily interchangeable with another, if cost, privacy, or working offline are concerns of your LLM-enabled app, these may be good options to explore.
Chapter Markers:
- 00:58 - npm supply chain attack
- 16:28 - Wasm 3.0
- 23:34 - LLM options in the browser
- 34:41 - Jack’s experience at CascadiaJS and a discussion on the value of in-person conferences in 2025
- 41:54 - GitHub’s new MCP registry
- 43:26 - Microsoft Paint is getting project files
- 46:54 - What’s making us happy
Links:
- Paige - “Shai-Hulud” supply chain attack on npm continues against Crowdstrike npm packages and pnpm 10.16 minimumReleaseAge setting
- Jack - LLM options in the browser: WebLLM, MediaPipe, ONNX
- TJ - Wasm 3.0
- GitHub’s new MCP registry
- Microsoft Paint is getting its own Photoshop-like project files
- Paige - Great British Bake Off season 16 is back!
- Jack - Yoyos
- TJ - phishyurl.com
Thanks as always to our sponsor, the Blue Collar Coder channel on YouTube. You can join us in our Discord channel, explore our website and reach us via email, or talk to us on X, Bluesky, or YouTube.
- Front-end Fire website
- Blue Collar Coder on YouTube
- Blue Collar Coder on Discord
- Reach out via email
- Tweet at us on X @front_end_fire
- Follow us on Bluesky @front-end-fire.com
- Subscribe to our YouTube channel @Front-EndFirePodcast
View all episodes
By TJ VanToll, Paige Niedringhaus, Jack Herrington
4.5
1111 ratings
The supply chain attacks on npm continue and this week, Crowdstrike’s npm packages fell victim to the “Shai-Hulud” worm.
To mitigate the potential of downloading these malicious packages, consider pinning specific package versions in JS projects and using 2FA to publish new package versions to npm.
Also this week, WebAssembly Specification (Wasm) released v3.0. This version dramatically expands the memory Wasm apps can use, supports multiple memory usage, and now allows garbage collection.
It’s been a while since we last covered LLM options for folks who want to run their own models locally or in the browser, so Jack gives a quick rundown of some of the best options out today.
There’s WebLLM from MLC, MediaPipe from Google, and ONNX from Microsoft, and although none are easily interchangeable with another, if cost, privacy, or working offline are concerns of your LLM-enabled app, these may be good options to explore.
Chapter Markers:
- 00:58 - npm supply chain attack
- 16:28 - Wasm 3.0
- 23:34 - LLM options in the browser
- 34:41 - Jack’s experience at CascadiaJS and a discussion on the value of in-person conferences in 2025
- 41:54 - GitHub’s new MCP registry
- 43:26 - Microsoft Paint is getting project files
- 46:54 - What’s making us happy
Links:
- Paige - “Shai-Hulud” supply chain attack on npm continues against Crowdstrike npm packages and pnpm 10.16 minimumReleaseAge setting
- Jack - LLM options in the browser: WebLLM, MediaPipe, ONNX
- TJ - Wasm 3.0
- GitHub’s new MCP registry
- Microsoft Paint is getting its own Photoshop-like project files
- Paige - Great British Bake Off season 16 is back!
- Jack - Yoyos
- TJ - phishyurl.com
Thanks as always to our sponsor, the Blue Collar Coder channel on YouTube. You can join us in our Discord channel, explore our website and reach us via email, or talk to us on X, Bluesky, or YouTube.
- Front-end Fire website
- Blue Collar Coder on YouTube
- Blue Collar Coder on Discord
- Reach out via email
- Tweet at us on X @front_end_fire
- Follow us on Bluesky @front-end-fire.com
- Subscribe to our YouTube channel @Front-EndFirePodcast
More shows like Front-End Fire
View all
The Changelog: Software Development, Open Source
288 Listeners
The a16z Show
1,099 Listeners
ShopTalk
501 Listeners
Software Engineering Daily
624 Listeners
JavaScript Jabber
62 Listeners
Syntax - Tasty Web Development Treats
990 Listeners
The Diary Of A CEO with Steven Bartlett
8,852 Listeners
Practical AI
212 Listeners
All-In with Chamath, Jason, Sacks & Friedberg
10,224 Listeners
Hard Fork
5,546 Listeners
PodRocket
60 Listeners
devtools.fm: Developer Tools, Open Source, Software Development
25 Listeners
The Startup Ideas Podcast
212 Listeners
Latent Space: The AI Engineer Podcast
98 Listeners
This Day in AI Podcast
229 Listeners