Velostride, one of the fastest growing cycling gear startups
received an alert on October 26, 2025. Two developer machines had made outbound connections at 2 AM. Within two days, a public GitHub repository appeared under one of their developer’s accounts containing that developer’s credentials.
They traced it back to a routine npm dependency update. A package the team had used for eighteen months. The update ran clean, passed all checks, and landed in their pipeline the way it always had. The package carried Shai-Hulud. By the time the team found it, the worm had already moved through their pipeline, harvested tokens, and used their own developer credentials to spread itself further across the ecosystem.
The breach began with a dependency update which is a regular exercise and is an automated process.
Today we explain the details of the Shai Hulud or the Supply Chain worm and in our next article we will discuss the lessons learnt for VeloStride. Shai Hulud - The supply chain worm
