Wormsign detects npm supply-chain worm activity — Shai-Hulud and its variants — by reading
the registry's time/ minus versions/ delta. When the same maintainer
publishes three or more packages with ghost-version patterns inside a
60-second window, that is the worm's automation signature.
Pure metadata. No tarballs. No execution.