The Shai-Hulud campaign has reached a critical inflection point with the June 1, 2026 compromise of 32 Red Hat Cloud Services npm packages carrying valid or forged SLSA provenance attestations, combined with the May 12 public release of the wormable malware toolkit. Every enterprise CI/CD pipeline consuming npm packages must treat this as an active incident until audited. The conventional trust signal for npm supply chain integrity (SLSA attestation) can no longer be relied upon for affected namespaces.