Researchers warn malicious packages can harvest secrets, weaponize CI systems, and spread across projects while carrying a dormant wipe mechanism. A massive Shai-Hulud-style npm supply chain worm is ...