In this episode, host Mackenzie Jackson is joined by Charlie Erikson and Daniel Pereira to uncover the story of Shai-Hulud — a self-propagating worm that shook the NPM ecosystem. Like the great sandworm of Arrakis, it surfaced suddenly, exfiltrating secrets and spreading through unsuspecting packages.Daniel recounts his discovery and the frustrating desert-like silence from major platforms as he tried to raise the alarm. Charlie dives into the worm’s anatomy, from environment variable theft to GitHub action exploits, showing how attackers evolved their tactics from the earlier NX breach.Together, they reflect on what it takes to fight worms in the shifting sands of open source, and why the community needs faster ways to respond before the next Shai-Hulud emerges.

Charlie Eriksen and I sat down for a candid chat with Josh Junon, the maintainer of chalk and debug, who found himself at the center of one of the largest npm supply-chain attacks.Josh talks openly about: ✅ How the phishing attack actually worked ✅ What it felt like to have his packages hijacked ✅ The lessons for every open source maintainer and company that relies on npmIt’s a rare, first-hand account of what it’s like to be the person behind the breach, raw, honest, and essential listening for anyone in tech.We are releasing it live at 16:00 CEST , 07:00 Pacific Time

Charlie Erkson and Mackenzie Jackson return with breaking news on one of the wildest supply chain compromises to date. The popular NX packages—with millions of weekly downloads—were hijacked, and attackers used an LLM-powered malware to crawl systems for secrets like GitHub and NPM tokens. Even stranger, instead of exfiltrating data to a private server, the stolen information was dumped into public GitHub repositories, exposing sensitive credentials for anyone to see.

In this episode of Bad Dependencies, the hosts unpack:

• How the NX compromise happened and why it’s uniquely reckless.

• The bizarre use of LLMs for system enumeration.

• Why publishing secrets to public repos raises the stakes for everyone.

• The remediation steps users must take if they were affected.

• Broader implications for the future of software supply chain security.

Is this careless malware, or was the chaos intentional? Tune in for analysis, insights, and some grim humor as the hosts dissect a case study in just how bad things can get when package compromises go wrong.