On November 24, 2025, a routine debugging session led to the discovery of a significant security breach at Trigger.dev, triggered by an npm supply chain worm dubbed Shai-Hulud 2.0. The worm compromised over 500 packages and affected more than 25,000 repositories across the JavaScript ecosystem. The incident began when an engineer inadvertently installed a malicious package, resulting in credential theft and unauthorized access to their GitHub account. The attacker exploited this access for 17 hours, cloning 669 repositories before launching a destructive phase that involved force-pushing malicious commits across multiple repositories. The timeline of the attack reveals a calculated approach. After the initial compromise, the attacker validated stolen credentials and began cloning repositories, operating from both US and India-based infrastructure. They monitored the engineer’s activities while they were unaware of the breach, demonstrating a high level of sophistication. The attack culminated in a series of automated actions that closed numerous pull requests, all attributed to a fake commit from Linus Torvalds, which added an unusual layer of chaos to the incident. Fortunately, the breach was detected quickly, with team members noticing the flood of notifications in Slack. Within minutes, access was revoked, and the team began the recovery process. No Trigger.dev packages were compromised, as the attack was confined to the engineer's local setup. The incident highlighted the vulnerabilities in package management and the potential for significant damage from seemingly innocuous actions. Trigger.dev has since implemented measures to prevent similar attacks, reflecting the ongoing challenges in maintaining security within the software development ecosystem.