Modern JavaScript development runs on an assumption that rarely gets questioned:
dependencies are safe by default.
Every npm install pulls code written by strangers, maintained at unknown cadence, and executed automatically in trusted environments. The Shai-Hulud npm campaigns did not exploit a vulnerability in npm itself. They exploited belief – belief that widely used ecosystems self-regulate.
This was not a smash-and-grab operation.
It was a slow poisoning of trust, designed to persist quietly inside developer workflows and CI/CD pipelines.