If you've been waiting for a supply chain attack that makes "npm install" feel genuinely dangerous, this might be the week. A worm spread through 25,000 npm packages in seven days by exploiting preinstall hooks - the same hooks most of us never think about.
Meanwhile, CISA gave federal agencies 21 days to patch Oracle Identity Manager, and a DevOps analysis made the rounds arguing that AI coding productivity gains might be illusory once you account for downstream review bottlenecks.
The Shai-Hulud 2.0 worm exploited npm's preinstall lifecycle hooks to propagate through the JavaScript ecosystem. The malware exfiltrated credentials from over 350 users and spread 10x faster than previous variants by evading signature-based detection.
Datadog's technical breakdown reveals the evasion techniques. The worm used obfuscated install scripts and encrypted payloads that only activated after installation completed, bypassing most registry-level scanning.
The attack surface is architectural. Preinstall hooks run with the same permissions as npm install itself. That design decision made sense when packages were human-reviewed; it becomes a liability when automated publishing enables mass infection.
The interesting question isn't "how do you respond to 25,000 compromised packages." It's why preinstall hooks still run arbitrary code by default. npm's architecture predates the current threat model.
Some organizations are adopting --ignore-scripts as standard, accepting the breakage as the price of isolation. If you haven't audited what your preinstall hooks actually do, this might be a good week to start.
CISA added Oracle Identity Manager CVE-2025-61757 to KEV with confirmed active exploitation and a December 12 federal deadline. Federal agencies have 21 days to patch critical RCE across enterprise environments. The CVE scores 9.8 CVSS.
The Fortinet story is different. Two FortiWeb zero-days with public proof-of-concept code drew criticism for silent patching. Fortinet fixed the issues without disclosure; security teams learned about vulnerabilities they'd already patched. The transparency debate continues.
Separately, Fluent Bit vulnerabilities undetected for 8+ years could enable full cloud takeover in critical infrastructure. Patches available.
The Fortinet controversy highlights an uncomfortable tradeoff. Silent patching protects users who update quickly but leaves everyone else unaware of active risk. The security community remains divided on whether transparency or rapid quiet fixes better serves defenders.
A DevOps.com analysis applies the Three-Ways framework to AI coding assistants and arrives at a counterintuitive conclusion: generating 70% more code might not mean 70% more productivity.
The argument is systems-level. If AI accelerates code creation but code review, testing, and security validation remain human-paced, you've moved the constraint, not removed it. The article calls this the "coding assistant bottleneck."
If you're measuring AI coding assistant ROI purely in lines-of-code-per-hour, the Three-Ways analysis suggests you're measuring the wrong thing. The interesting metric is cycle time from feature request to production, which includes everything downstream of code generation.
• CVE-2025-61757 — Oracle Identity Manager Severity: Critical (9.8) | Impact: Remote Code Execution | Status: Actively Exploited, CISA KEV (Dec 12 Federal Deadline)
• CVE-2025-64446 — Fortinet FortiWeb Severity: Critical | Impact: Authentication Bypass, Command Injection | Status: Zero-day, Public PoC Available
• CVE-2025-58034 — Fortinet FortiWeb Severity: Critical | Impact: Command Injection | Status: Silent Patching Controversy
• Multiple CVEs — Fluent Bit Logging Library Severity: High (8.2) | Impact: Full Cloud Takeover | Status: 8+ Years Undetected, Patch Available
• CVE-2025-50165 — Windows JPEG Processing Severity: High | Impact: Remote Code Execution | Status: Patch Available
• CVE-2025-11001 — 7-Zip Severity: High (7.0) | Impact: Remote Code Execution | Status: PoC Available, NHS Warning
Systems thinking on AI productivity:
• The Coding Assistant Bottleneck: Applying the 3-Ways — Why it's worth your time: DevOps theory applied to AI coding assistants, argues velocity gains may evaporate in downstream review queues
• What Fuels AI Code Risks and How DevSecOps Can Secure Pipelines — Why it's worth your time: Technical analysis of AI-introduced vulnerabilities that traditional SAST tools miss
Talent strategy:
• How to Escape the Talent Valley — Why it's worth your time: Gartner's 240,000 unfilled DevSecOps roles contextualized with workflow redesign alternatives to headcount expansion
Supply chain attack technical details:
• Shai-Hulud is back with a new campaign infecting more npm packages — Why it's worth your time: Primary incident documentation on the 25,000+ package compromise via preinstall hooks
• The Shai-Hulud 2.0 npm worm: analysis, and what you need to know — Why it's worth your time: Datadog's technical breakdown of evasion techniques and detection methodology