Key Findings: Cybersecurity researchers have disclosed an active "Shai-Hulud-like" supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages. The malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments. The packages also include a weaponized GitHub Action that harvests CI/CD secrets and exfiltrates them, as well as a "McpInje
