In Part 1, I shared how disabling package scripts and using dev containers saved me from Shai-Hulud. But those were just the first two layers. Here’s where things get interesting – I’ll show you how signed commits can catch unauthorized changes before they happen, and how repository protections created a final safety net. These aren’t theoretical security measures. They’re the same practical defenses I use every single day.

When the Shai-Hulud v2 supply chain attack hit last week, I watched thousands of developers scramble to check their systems. Mine? I was able to mark it as safe. This was because I’d already layered in some straightforward security practices. If you’re wondering how to protect your own development environment from these kinds of attacks, I’ll walk you through the exact configurations and tools I use every day that kept me safe.