Syntax - Tasty Web Development Treats

1004: TanHacked

31 snips
May 13, 2026
A deep dive into the Shai Hulud worm that hijacked package releases through a GitHub Actions cache poisoning exploit. They unpack how post-install scripts stole credentials and persisted via editor hooks and tasks. Practical developer defenses are covered, including pnpm security defaults, blocking exotic subdeps, and using dev containers to limit damage.
Ask episode
AI Snips
Chapters
Transcript
Episode notes
ANECDOTE

Mini Shai Hulud Is Latest In Recurring Worm Series

  • Scott and Wes frame the incident as 'Mini Shai Hulud', part of a series of supply-chain worms dating back to 2025.
  • They reference past waves hitting big services like PostHog, Zapier, and TanStack to show recurrence and escalation.
INSIGHT

Cache Poisoning Gave Attackers Publish Power

  • The Shai Hulud worm exploited GitHub Actions cache poisoning to gain elevated publish tokens.
  • Attackers poisoned the PNPM store cache via pull_request_target so a later release workflow ran malicious code and exfiltrated an OIDC/NPM token.
INSIGHT

Worm Used Auto Run Hooks To Self Propagate

  • The worm self-propagated and targeted auto-run hooks to spread and persist across systems.
  • It injected into postinstall, Claude settings JSON, and VS Code tasks.json so opening tools could auto-execute the payload.
Get the Snipd Podcast app to discover more snips from this episode
Get the app