The Weekly Dev’s Brew #30 ☕

🏜️ "The Spice Must Flow" - But Not Through Your npm Packages

When your dependencies become more dangerous than sandworms!

Hey devs! Pull up a chair and grab your favorite mug because we need to talk about something that happened while you were probably debugging CSS grid (again). September 2025 brought us the largest npm supply chain attack in history, and just like Frank Herbert's spice trade in Dune, the flow of packages we depend on got seriously compromised.

Here's the tea ☕: Remember last week's episode where we covered the September 8th npm attack? That was just the warm-up act. If you thought 18 compromised packages with 2.6 billion weekly downloads was bad news, grab your strongest espresso because this week's drama makes that look like spilled sugar compared to a full coffee catastrophe.

Breaking: "Shai-Hulud" Worm Discovered Today

Forget what we said about the September attack being bad; we've got a fresh nightmare brewing. Security researchers just flagged a self-replicating worm called "Shai-Hulud" that's infected 40**+ npm packages** since September 14th. This thing spreads like spilled coffee on a white shirt.

Here's the scary part: once it infects one package, it automatically trojans every other package that maintainer has access to. It's like a digital zombie apocalypse, but for your dependencies. The worm downloads TruffleHog (a legit security tool) to scan infected machines for AWS keys, GitHub tokens, and other juicy credentials, then phones home with the goods.

Patient Zero was a package called rxnt-authentication from maintainer "techsupportrxnt." From there, it spread to major packages including @ctrl/tinycolor, ngx-toastr, and even some CrowdStrike tooling packages (they've already rotated their keys, don't panic).

The really clever bit? It creates "-migration" copies of private repos to steal hardcoded secrets. It's like the attack we saw on the Nx build system last month, but with worm-like spreading capabilities.

📖 Read more: Full analysis on The Hacker News

What You Need to Do RIGHT NOW

1. Audit immediately: Check if you're using any of the 180+ compromised packages

2. Rotate your tokens: All of them. GitHub, npm, AWS, everything

3. Update to clean versions: npm has been removing malicious versions as they're discovered

4. Monitor your repos: Look for any unexpected "-migration" repositories

This is still developing as we write this. It's like watching a slow-motion coffee spill in real-time. You know it's going to be a mess, but you can't look away.

☕ Quick Sip

🚀 Bun Install: 25x faster package installs by rethinking what's possible with modern hardware. Lydia Hallie shares interesting details behind bun’s installation speed → Read the deep dive

🦀 Andromeda Runtime: Yet another JavaScript runtime, which obviously had to be written in rust with hardware-accelerated Canvas API and sub-10ms startup time. I guess it’s fast → Try it out

🦕 Deno 2.5: Now with permissions in config files and improved LSP performance. V8 14.0 and TypeScript 5.9.2 under the hood. → See what's new

🎨 CSS Anchor Positioning: Part of Interop 2025, already shipped in Chromium. Follow-the-leader patterns just got a whole lot smoother. → Learn the technique

📋 100+ CSS Features List: Adam Argyle wrote a comprehensive guide to what's new in CSS over the past 5 years. Perfect for answering "what should I study next?" → Check the full list

🅰️ Angular Web Codegen Scorer: New open-source tool from the Angular team that evaluates AI-generated code quality. Scores build success, runtime performance, security, and accessibility. Already helping frameworks like SolidJS improve their AI prompts. → Read the announcement

🎧 Last Week's Podcast Brew

Last week we had Una Kravets from Google Chrome on the podcast chatting about the web platform. While everyone's obsessing over AI replacing developers, Una revealed the plot twist: CSS has quietly become the fastest-evolving part of web development.

She walked us through how features that used to require several third-party javascript libraries, are landing as native platform capabilities. We're talking customizable dropdowns, anchor positioning (hey, there's that CSS reference from Quick Sip!), and scroll-driven animations.

Una also shared her fascinating process for identifying platform gaps and working with standards bodies like Open UI. Plus, her take on AI in development is refreshingly nuanced.

🎬 Watch the full episode with Una Kravets

☕ Coffee Break Fact

Pumpkin spice lattes were invented in 2003 at Starbucks, but real pumpkin spice has been around for centuries. The blend typically contains cinnamon, nutmeg, ginger, cloves, and allspice - but rarely actual pumpkin. It's like how "vanilla JavaScript" doesn't contain any vanilla, but both have become essential flavors that developers (and coffee drinkers) can't seem to live without come fall!

Keep your dependencies updated and your coffee strong,

The Weekly Dev’s Brew

P.S. - If you enjoyed this newsletter, share it with your colleagues. If you didn't, forward it to that one developer who's still using Webpack 4 and refuses to upgrade.