Blog

Walmart will pause hiring candidates who require H-1B visas, the BBC understands, in response to the Trump administration’s new $100,000 (£74,000) fee that has roiled US employers.

US President Donald Trump last month signed an executive order imposing the fee for H-1B applicants, citing “abuse” of the programme for skilled foreign workers that undercuts the American workforce.

Walmart tops the list of retail chains that use the programme, with more than 2,000 H-1B visas approved in the first half of 2025.

The retail giant is “committed to hiring and investing in the best talent to serve our customers, while remaining thoughtful about our H-1B hiring approach,” a Walmart spokesperson said.

Walmart’s decision to pause H-1B hirings was first reported by Bloomberg News.

The retailer is the largest private employer in the US. It employs roughly 1.6 million people across the country. But while Walmart is the largest beneficiary of the H-1B visas in the retail sector, the programme is often associated with the giants of the US tech sector.

Amazon tops the list of beneficiaries, with more than 10,000 H-1B visas approved in the first half of 2025. Microsoft, Meta, Apple and Google each secured more than 4,000 visas through the programme through June, according to US government data.

Startups, as well as smaller firms beyond tech, also employ workers through H-1B visas.

Trump’s order only applies to new visa requests in the programme and vows to restrict entry unless a payment is made.

Critics have long argued that H-1Bs undercut the American workforce, while supporters – including billionaire Elon Musk – argue it allows the US to attract top talent from around the world.

India dominates the H-1B programme, making up more than 70% of the recipients in recent years. China was the second-largest source, comprising about 12% of recipients.

“The company needs to decide… is the person valuable enough to have a $100,000-a-year payment to the government, or they should head home, and they should go hire an American,” US Commerce Secretary Howard Lutnick said last month, when Trump signed the order imposing the $100,000 fee.

But business groups has voiced opposition to Trump’s order.

The US Chamber of Commerce last week filed a lawsuit against the Trump administration. The fee will make it “cost-prohibitive” for US employers to use the H-1B programme, said Neil Bradley, the pro-business group’s chief policy officer.

The group argued in its complaint that if implemented, the fee would harm American businesses, forcing them to either increase their labor costs or hire fewer highly skilled employees.

The White House responded to the suit by calling the fee lawful and a “necessary, initial, incremental step towards necessary reforms” to the programme.

Mitch Mayne: What should we know at a glance?

Justin Moore: Shai-Hulud is a fast-moving supply chain attack that quickly affected hundreds of organizations. The attack targeted everyday development activities and trusted software processes to reach its targets, demonstrating just how quickly risk can move inside business operations.

MM: What makes this attack stand out?

JM: Unlike typical malware, Shai-Hulud spreads autonomously. Once the attackers gained access to a developer’s account, they used automation to insert malicious code across that developer’s other software packages and push the compromised versions live—spreading the threat across the software supply chain almost instantly. By combining automation with artificial intelligence, the attackers were able to generate, adapt, and deploy malicious code at scale, far faster than human operators could. This approach marks a shift in the threat landscape: AI-driven supply chain attacks are becoming more efficient, more scalable, and significantly harder to detect, accelerating every stage from initial compromise to evasion.

MM: What should CISOs take away from this research?

JM: Securing the developer environment should be top priority. The initial compromise of this attack likely starts with phishing a developer’s highly privileged account, which illustrates the importance of zero trust. Rotate all developer and cloud credentials immediately. Conduct a thorough audit of third-party software dependencies. Review developer accounts for unusual changes or unexpected public repositories. Multi-factor authentication is essential, but so is strong phishing awareness and educating teams on credential safety. Finally, treat vendor policies, incident response plans, and frequent supply chain risk reviews as ongoing leadership responsibilities, not just technical tasks.