Trending on Reddit: Mini Shai-Hulud Hits 160+ npm Packages Including Mistral AI
What Happened
Researchers at Socket disclosed "Mini Shai-Hulud," a supply-chain attack that compromised more than 160 npm packages by abusing GitHub Actions workflows to steal maintainer tokens and republish poisoned versions. Mistral AI and UiPath were among the named victims. The thread dominated r/programming and r/node, with maintainers scrambling to rotate keys.
My Take
Every executive nodding along to "AI is going to write our code" should read this and ask one question: who is reviewing the dependencies the AI just imported? Coding agents pull packages with the confidence of a senior engineer and the judgment of an intern. The attack surface isn't the model — it's the unattended autonomy around it. Boards that approved "agentic engineering" pilots without a software-bill-of-materials policy are one bad Tuesday from a 10-K disclosure.
Read Original Source