npm has recently been hit by a 'sandworm' supply chain poisoning attack. The attackers managed to compromise the official maintainer's account and then proceeded to deploy malware on a massive scale across over 600 versions of more than 300 independent packages. This malicious act has impacted several well-known projects, such as echarts-for-react, the @antv series, and the TanStack series. The malicious code embedded in these packages is capable of stealing sensitive information, including GitHub Tokens and keys for cloud services. Moreover, it exhibits worm-like characteristics, allowing it to self-replicate and spread laterally. This means it can tamper with other software packages while masquerading as secondary release developers. To mitigate the risks, it is advisable to isolate devices that may be compromised, thoroughly investigate dependency files, clean up any residual traces of the attack, replace sensitive credentials, and bolster overall security awareness.