SHAI-HULUD : The Hidden Cost of Supply Chain Attacks looks at how self-propagating malware in open source components has created widespread but hard‑to‑measure damage, with attackers targeting downstream victims by poisoning component libraries. The piece notes that the Shai-hulud worm spreads through NPM, infecting components that are subsequently maintained by victims and then self-publishing poisoned versions, with multiple successors that stole credentials and impacted a wide range of users.
It also references GlassWorm, which targets developer credentials after a poisoned Open VSX component is downloaded, enabling further publication of malicious versions. An early wave saw 18 popular NPM components poisoned, downloaded collectively more than 2 billion times each week, though defenders moved quickly to contain the spread.
Experts cited by Dark Reading, including Omer Kidron of Sygnia and Darren Meyer of Checkmarx Zero, emphasise that harm is often measured in impact to operations and ongoing remediation costs rather than raw download counts. The article also discusses the “costly verification tax” described by Christopher Jess of Black Duck and underlines the need for rapid containment and strengthened best practices to mitigate long‑term damage.