TeamPCP’s Shai-Hulud Supply-Chain Worm Leaked on GitHub, Spurring Copycat Attacks
Source code for the Shai-Hulud supply-chain worm attributed to TeamPCP was briefly exposed on GitHub, with repositories reportedly inviting others to modify keys and command-and-control settings and, in some cases, released under the MIT License. Researchers said the leaked code closely matched malware used in recent npm and PyPI compromises tied to packages associated with TanStack, Mistral AI, and OpenSearch, and revealed a modular framework built to steal credentials from developer workstations, CI/CD runners, cloud environments, Kubernetes, and HashiCorp Vault. The malware propagates by abusing stolen GitHub, npm, cloud, and OIDC credentials to poison repositories and publish backdoored packages, while maintaining persistence through GitHub workflows, Python .pth hooks, IDE and AI coding assistant configuration changes, system services, and Windows Startup entries.
Analysis of the leaked framework showed encrypted exfiltration, GitHub dead-drop and signed-commit fallback channels, Sigstore provenance forgery, and destructive behavior including an org-membership-gated wiper and coercive deadman switch. GitHub removed the original repositories and has reportedly been taking down reposted copies, but forks and modified variants were already observed, and within days copycat actors began publishing Shai-Hulud-derived malicious npm packages such as chalk-tempalte and Axios-themed typosquats. Security firms warned that the public release turns an already successful credential-theft and software supply-chain operation into a reusable toolkit for other threat actors, increasing the likelihood of broader attacks across npm, PyPI, GitHub Actions, Docker Hub, OpenVSX, and developer tooling ecosystems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Copycat Shai-Hulud campaigns appear on npm after leak
Within days of the source-code leak, copycat campaigns emerged targeting npm developers with modified Shai-Hulud-based packages. Ox Security reported at least one actor published a near-direct clone called "chalk-tempalte," alongside other typo-squatted packages and one package with DDoS botnet functionality.
GitHub removes original Shai-Hulud repositories
SC Media reported that GitHub removed the original repositories containing the Shai-Hulud source code and appeared to be rapidly removing reposted copies. Forks were still observed despite the removals.
Recent npm and PyPI campaign hits major package ecosystems
SC Media reports that a recent TeamPCP-linked npm and PyPI supply-chain campaign spread credential-stealing malware through compromised developer accounts. Affected packages were associated with TanStack, Mistral AI, OpenSearch, and others.
TeamPCP conducts months-long supply-chain credential theft campaign
Sources describe TeamPCP as running an extended campaign across 2025 and 2026 that targeted npm, PyPI, GitHub Actions, Docker Hub, OpenVSX, IDE integrations, and CI/CD workflows to steal credentials and republish backdoored packages. Akamai characterizes the operation as an eight-month campaign focused on harvesting secrets and expanding access across repositories and developer tooling.
Independent actors begin forking and modifying leaked Shai-Hulud
After the GitHub publication, researchers observed independent threat actors forking and modifying the malware. Reporting said the repositories remained online for at least 12 hours, enabling reuse before takedowns.
Researchers analyze leaked framework and tie it to prior attacks
Static analysis of the leaked code found a modular TypeScript/Bun toolkit for credential theft, CI/CD compromise, encrypted exfiltration, and propagation through poisoned GitHub repositories and npm packages. Researchers said the code matched previously observed TeamPCP artifacts and revealed added capabilities such as AI coding assistant persistence, Sigstore provenance forgery, signed-commit C2 fallback, and a deadman switch.
Shai-Hulud source code is exposed on GitHub
Researchers reported that a GitHub repository briefly exposed what appears to be the full source code of the Shai-Hulud offensive framework attributed to TeamPCP. OX Security and other reporting said TeamPCP appeared to have published the code openly, inviting others to modify keys and command-and-control settings.
A stronger Shai-Hulud variant emerges
A more capable variant of Shai-Hulud emerged in November 2025, according to reporting on the malware's evolution. Later analyses describe subsequent variants and copycats proliferating after this point.
Researchers first identify Shai-Hulud malware
Reporting states that researchers first found the Shai-Hulud malware in September 2025. The malware was linked to software supply-chain attacks targeting npm ecosystems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Shai-Hulud worm copycats emerge after source code leak
securityaffairs.com
Open sourceTeamPCP releases ‘vibe coded’ Shai-Hulud source code, issues challenge | news | SC Media
scworld.com
Open sourceMini Shai-Hulud: The Worm Returns and Goes Public | Akamai
akamai.com
Open sourceShai-Hulud Malware In-Depth Analysis: Open Source Means Loss of Control? | by SlowMist | May, 2026 | Medium
slowmist.medium.com
Open sourceSha1-Hulud Worm Analysis: Polymorphism, Persistence & IOCs
phoenix.security
Open sourceShai-Hulud Goes Open Source | Datadog Security Labs
securitylabs.datadoghq.com
Open sourceMalware crew TeamPCP open-sources its Shai-Hulud worm on GitHub
theregister.com
Open sourceShai-Hulud Goes Open Source: Malware Code Leaked to GitHub
ox.security
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Shai-Hulud npm Worm Expanded Into Cross-Ecosystem Supply Chain Attacks
A supply-chain malware campaign known as **Shai-Hulud** compromised hundreds of packages in the npm ecosystem and later spread into both npm and PyPI, using stolen maintainer credentials and trusted publishing workflows to push trojanized releases. Early reporting said the worm affected more than 500 npm packages, searched infected developer and CI/CD environments for GitHub Personal Access Tokens, cloud API keys, and other secrets, and exfiltrated them to attacker-controlled infrastructure and public GitHub repositories. GitHub removed hundreds of malicious packages, while CISA urged organizations to review dependencies, check for cached malicious packages, rotate credentials, and enforce phishing-resistant MFA for developer accounts. Later waves became more aggressive and broader in scope. Researchers said a second campaign hit hundreds more npm packages and had a blast radius exceeding **27,000 repositories**, abusing `preinstall` and other lifecycle hooks to steal secrets, hijack GitHub Actions, self-propagate into additional packages, and in some cases deploy a conditional wiper-like payload. A subsequent **Mini Shai-Hulud** wave affected more than 170 packages across npm and PyPI, including packages tied to TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, and others; it used files such as `router_init.js`, invoked Bun through malicious package scripts, targeted npm, GitHub, cloud, Kubernetes, Vault, and CI/CD credentials, and demonstrated that provenance and OIDC-based trusted publishing can still be abused when attacker-controlled code runs inside legitimate release workflows.
May 25, 2026
Mini Shai-Hulud Supply-Chain Attack Compromised npm, PyPI, and Composer Packages
Researchers reported that the **Mini Shai-Hulud** campaign compromised widely used developer packages across **npm, PyPI, and Packagist/Composer**, including SAP CAP components, `intercom-client`, `intercom/intercom-php`, and PyTorch Lightning’s `lightning` package. The malicious releases delivered an obfuscated credential stealer executed with the **Bun** runtime, harvesting secrets from developer workstations and CI/CD environments, including GitHub, npm, cloud, Kubernetes, and AI tooling credentials. Stolen data was encrypted and exfiltrated through attacker-created public GitHub repositories, and the campaign was linked by multiple researchers to **TeamPCP**. Reports estimated exposure ranging from more than **1,000** to roughly **1,800 repositories**, with no `CVE`, `GHSA`, or `OSV` identifiers assigned at disclosure. Investigators said the attackers abused software publishing workflows rather than relying solely on direct maintainer compromise, including a stolen npm token tied to SAP’s `cloudmtabot` account, an exposed token in CircleCI pull-request builds, and overly broad GitHub and npm **OIDC trusted publishing** policies. The malware propagated by using stolen npm tokens to publish infected patch versions of additional packages and established persistence through developer tooling by planting `.vscode/tasks.json` entries with `"runOn": "folderOpen"` and `.claude/settings.json` `SessionStart` hooks, a technique compared to the earlier **PolinRider/TasksJacker** tradecraft. Maintainers released cleaned package versions, while defenders were urged to rotate credentials, review GitHub, npm, and cloud activity, harden OIDC publishing rules, pin dependencies, and hunt repositories for unauthorized `folderOpen` tasks and Claude hooks.
May 1, 2026
Mini Shai-Hulud Compromised Signed npm and PyPI Packages via GitHub Actions OIDC Abuse
A large software supply-chain campaign dubbed **Mini Shai-Hulud** compromised more than 170 npm packages and at least two PyPI packages tied to projects including **TanStack, Mistral AI, OpenSearch, UiPath, Guardrails AI,** and others. Researchers and vendors attributed the activity to **TeamPCP**, saying the attackers abused GitHub Actions release workflows—especially `pull_request_target`, cache poisoning, and theft of short-lived **OIDC** material from runners—to publish trojanized packages with apparently legitimate **SLSA** provenance, Sigstore attestations, and trusted-publishing signatures. Reports variously counted between roughly 160 and 400+ malicious package versions, with some affected packages totaling hundreds of millions of downloads, and OpenSearch and Mistral both confirmed compromised releases while TanStack described a chained workflow attack on its publishing pipeline. The malware targeted developer workstations and CI/CD systems, stealing **npm**, **GitHub**, cloud, Kubernetes, Vault, SSH, Docker, and AI-tool credentials, then attempting worm-like propagation by republishing infected packages with stolen tokens or workflow-issued publish credentials. Investigators said the payload also established persistence through **VS Code** tasks, **Claude Code** hooks, and in some cases system services, while exfiltrating data through **Session**, GitHub dead drops, and other attacker infrastructure; some variants included extortion notes, dead-man-switch logic, and geofenced destructive behavior. Defenders were urged to treat hosts that installed affected versions as potentially fully compromised, remove persistence before revoking tokens where applicable, rotate all exposed secrets from clean systems, invalidate CI caches, audit lockfiles and publishing activity, and rebuild impacted environments from trusted sources.
Jun 9, 2026