Sign up to save your podcasts
Or
Share npm Under Siege: The “Shai-Hulud” Worm Attack
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
npm Under Siege: The “Shai-Hulud” Worm Attack
The supply chain attacks on npm continue and this week, Crowdstrike’s npm packages fell victim to the “Shai-Hulud” worm.
To mitigate the potential of downloading these malicious packages, consider pinning specific package versions in JS projects and using 2FA to publish new package versions to npm.
Also this week, WebAssembly Specification (Wasm) released v3.0. This version dramatically expands the memory Wasm apps can use, supports multiple memory usage, and now allows garbage collection.
It’s been a while since we last covered LLM options for folks who want to run their own models locally or in the browser, so Jack gives a quick rundown of some of the best options out today.
There’s WebLLM from MLC, MediaPipe from Google, and ONNX from Microsoft, and although none are easily interchangeable with another, if cost, privacy, or working offline are concerns of your LLM-enabled app, these may be good options to explore.
Chapter Markers:
- 00:58 - npm supply chain attack
- 16:28 - Wasm 3.0
- 23:34 - LLM options in the browser
- 34:41 - Jack’s experience at CascadiaJS and a discussion on the value of in-person conferences in 2025
- 41:54 - GitHub’s new MCP registry
- 43:26 - Microsoft Paint is getting project files
- 46:54 - What’s making us happy
Links:
- Paige - “Shai-Hulud” supply chain attack on npm continues against Crowdstrike npm packages and pnpm 10.16 minimumReleaseAge setting
- Jack - LLM options in the browser: WebLLM, MediaPipe, ONNX
- TJ - Wasm 3.0
- GitHub’s new MCP registry
- Microsoft Paint is getting its own Photoshop-like project files
- Paige - Great British Bake Off season 16 is back!
- Jack - Yoyos
- TJ - phishyurl.com
Thanks as always to our sponsor, the Blue Collar Coder channel on YouTube. You can join us in our Discord channel, explore our website and reach us via email, or talk to us on X, Bluesky, or YouTube.
- Front-end Fire website
- Blue Collar Coder on YouTube
- Blue Collar Coder on Discord
- Reach out via email
- Tweet at us on X @front_end_fire
- Follow us on Bluesky @front-end-fire.com
- Subscribe to our YouTube channel @Front-EndFirePodcast
View all episodes
By TJ VanToll, Paige Niedringhaus, Jack Herrington
4.4
1111 ratings
The supply chain attacks on npm continue and this week, Crowdstrike’s npm packages fell victim to the “Shai-Hulud” worm.
To mitigate the potential of downloading these malicious packages, consider pinning specific package versions in JS projects and using 2FA to publish new package versions to npm.
Also this week, WebAssembly Specification (Wasm) released v3.0. This version dramatically expands the memory Wasm apps can use, supports multiple memory usage, and now allows garbage collection.
It’s been a while since we last covered LLM options for folks who want to run their own models locally or in the browser, so Jack gives a quick rundown of some of the best options out today.
There’s WebLLM from MLC, MediaPipe from Google, and ONNX from Microsoft, and although none are easily interchangeable with another, if cost, privacy, or working offline are concerns of your LLM-enabled app, these may be good options to explore.
Chapter Markers:
- 00:58 - npm supply chain attack
- 16:28 - Wasm 3.0
- 23:34 - LLM options in the browser
- 34:41 - Jack’s experience at CascadiaJS and a discussion on the value of in-person conferences in 2025
- 41:54 - GitHub’s new MCP registry
- 43:26 - Microsoft Paint is getting project files
- 46:54 - What’s making us happy
Links:
- Paige - “Shai-Hulud” supply chain attack on npm continues against Crowdstrike npm packages and pnpm 10.16 minimumReleaseAge setting
- Jack - LLM options in the browser: WebLLM, MediaPipe, ONNX
- TJ - Wasm 3.0
- GitHub’s new MCP registry
- Microsoft Paint is getting its own Photoshop-like project files
- Paige - Great British Bake Off season 16 is back!
- Jack - Yoyos
- TJ - phishyurl.com
Thanks as always to our sponsor, the Blue Collar Coder channel on YouTube. You can join us in our Discord channel, explore our website and reach us via email, or talk to us on X, Bluesky, or YouTube.
- Front-end Fire website
- Blue Collar Coder on YouTube
- Blue Collar Coder on Discord
- Reach out via email
- Tweet at us on X @front_end_fire
- Follow us on Bluesky @front-end-fire.com
- Subscribe to our YouTube channel @Front-EndFirePodcast
More shows like Front-End Fire
View all
Software Engineering Radio
271 Listeners
Hanselminutes with Scott Hanselman
380 Listeners
The Changelog: Software Development, Open Source
291 Listeners
Software Engineering Daily
625 Listeners
Soft Skills Engineering
285 Listeners
Thoughtworks Technology Podcast
41 Listeners
Syntax - Tasty Web Development Treats
987 Listeners
REWORK
210 Listeners
Practical AI
210 Listeners
The Stack Overflow Podcast
62 Listeners
Last Week in AI
301 Listeners
PodRocket
59 Listeners
Latent Space: The AI Engineer Podcast
97 Listeners
AI and I
37 Listeners
The Pragmatic Engineer
64 Listeners