Tan Stack got tan hacked.

Verselle got their walled garden penetrated.

After stealing content for years, UDemmy got their content stolen.

Loveable, they got their vibes snatched.

And now NPM and Pi Pi have been hit with a major supply chain attack targeting several popular JavaScript and

Python packages. This is Shy Leboof. I mean, shy Hulud, which is the latest worm in a series

of shy Hulud worms, the original shy Hulud worm showed up back in September 2025, which feels like a century

ago at this point. And where malicious versions of multiple popular packages were published to NPM,

they contained the post-install script that harvested sensitive data and sent it to GitHub public repose named Shy Hulud.

So that's why we have the name Shy Hulut here.

I also think that's a Star Star Wars thing.

Shy Hulud.

That's a sick hardcore band.

If you're into hardcore music, look up Shy Hulud, sick band.

It's actually from the movie Dune, by the way, in case you were wondering.

We're just going to run through pissing off people here.

The new Shai Hulud 2.0 dropped in November 2025, and Post-Hog got their hog posted,

and Zapier got zapped, and Postman also got their hog posted. And Zapier got zapped.

And Postman also got their hog posted with the new Shy Hulood.

And then it struck again, Shai Hulub 3.0 in December of 2025.

And now, I don't know why they don't call this one, Shy Huloo 4.0, but this is mini Shihalud. Yes, this is mini Shihiloh. Yes, right. It is mini. It's a little mini worm. Wes, Shai Hulud is a worm in Dune just in case you want to get the reference if you've never seen the Dune movie, which I assume you have. This is insane. We're going to go through what happened,

how it happened, what did it do, and how you can protect yourself, but like, man, I'm tired.

...