In a twist that even Frank Herbert didn’t see coming, the Shai-Hulud v2 campaign has gracefully slithered from the vast dunes of npm into the equally arid plains of Maven. The attack, which has compromised over 830 npm packages, has shown that truly, nothing is sacred when it comes to safeguarding your secrets in the digital desert.

According to the Socket Research Team, who are presumably feeling like proud ornithologists discovering a rare, destructive bird, a Maven Central package named org.mvnpm:posthog-node:4.18.1 was found hosting the infamous ‘setup_bun.js’ and ‘bun_environment.js’ scripts. While they sound like recipes from the great British Bake Off, these components are instead ingredients for a perfect cyberstorm.

As developers across the globe collectively scream into their keyboards, security experts advise users to keep their software supply chains less porous than Swiss cheese. Meanwhile, npm and Maven officials have reportedly convened a meeting to discuss the feasibility of releasing patches before the Sandworms decide their appetite includes entire infrastructures.