It's another Monday morning, sitting down at the computer. And I see a stack of alerts from the last hour of packages showing signs of malware in our triage queue. Having not yet finished my first cup of coffee, I see Shai Hulud indicators. Yikes, surely that's a false positive? Nope, welcome to Monday, Shai Hulud struck again. Strap in.Timeline of the Shai-Hulud CampaignThe timing is notable, given npm’s recent announcement that it will revoke classic tokens on December 9 after the wave of supp...