A new wave of the Shai‑Hulud supply‑chain worm has infected dozens of npm packages, from Zapier to Postman, exploiting post‑install scripts to harvest secrets and re‑publish malicious code. The attack, timed before npm’s token revocation deadline, demonstrates the escalating sophistication of ecosystem‑wide threats and the urgent need for hardened dependency pipelines.