Hey, researcher from Wiz here - we definitely didn't discover these vulns and all the credit goes to Lachlan Davidson. We have been investigating these vulns throughout the day and decided not to disclose the full extent of our conclusions or release a working exploit until more people get a chance to patch this (and as I mentioned in another comment, exploitation works out-of-the-box so you definitely should patch ASAP).

Just to simplify this - our exploitation tests so far have shown that a standard Next.js application created via create-next-app and built for production is vulnerable to CVE-2025-66478 without any specific code modifications by the developer - so this is essentially exploitable out-of-the-box.

We're monitoring this activity as well and updating the list of affected packages here: https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-...

Currently reverse engineering the malicious payload and will share our findings within the next few hours.

Very cool - it reminds me of some of the programming-language-like magic systems in Sanderson's books, especially AonDor in Elantris and Lines in The Rithmatist.