Uh oh! Oepsie Woepsie!
Shy UwUd has come back for all your npm packages!!!
Look at this fun github page that shows all the cute little repos made by Shy UwUd (:
On a quick skim, we found some startup founders, some accounts dedicated to AI tools, some full stack developers, and even someone who sells reactJS courses!
Wiz put out a list of affected packages wayyyyy down at the bottom of their article. Check your nyapm packages pronto to make sure you don’t become part of Shy UwUd’s family owo
We have to wonder how this puppy chain attack worked when people developing big deal npm packages are supposed to make their passwords stronk and their repos secure, but what do we know? We’ve never asked an MCP to write a really sick react app for us to sell to venture capitalists.
Make sure everypony in your organization checks your ci/cd pipelines for signs of compromise, and rotate out your passwords if you are the maintainer of an npm package :3
Updated: 24 November 2025