Sha1-Hulud malware compromised npm packages via phished maintainer creds, stealing developer tokens for repo alterations, propagating itself (November 21, 2025). Malware in preinstall scripts ran on install, scanned for GitHub/NPM/cloud creds, used them to inject code into victims' repos for propagation; hit 25k+ repos with theft, destruction, and supply-chain ripple. Zsub fixes this. No more scooping up loose credential and reusing them all over the place. - Phishing for creds much tougher: Requires user actions and multiple factors like device control, pins and physical taps. - Spread halts: Dedicated keys and real-time interactions contain the mess and limit chain reactions. - Even if a device gets fully owned and in-use keys stolen: They're limited to short-term use on specific connections, with automatic rotation expiring them quickly, stopping long-term abuse. Actually zero trust, just like Bitcoin. Not your keys, not your network. Read our white paper.

Zsub — Self-Sovereign Cryptographic Mesh