If the Shai-Hulud worm reached your GitHub repos, please read this

The Miasma / Shai-Hulud payload is still sitting in a lot of repositories right now. Here is how to tell if you are one of them, how to clean up safely, and what to do if you are locked out.

I got out. My account is back, my repositories are clean, my npm packages were never touched, and after four hard days my case was finally worked. I wrote that whole story in two earlier posts: part 1 and part 2. This one is not about me.

This week, with my access restored, I checked a publicly published list of repositories hit by the same worm that hit me. A clear majority are still infected. Days after the list went public, the live, credential-stealing payload is still sitting in repository after repository, untouched.

That means real people are still carrying this thing in their repos right now, and a lot of them almost certainly have no idea.

My honest first reaction, when that landed, was a quiet "oh, shit." Not for me, I was already safe by then, but for them.