TeamPCP — Shai-Hulud Worm Source Code Open-Sourced, BreachForums Contest Launched

AI relevance: The Shai-Hulud worm targeted AI-adjacent developer toolchains (npm, PyPI) and compromised packages used in AI/ML pipelines including TanStack, Mistral AI, and UiPath — its open-source release risks spawning a wave of copycat attacks against AI infrastructure supply chains.

What happened

TeamPCP, the threat group behind the Mini Shai-Hulud campaign that compromised 737 malicious package versions across 169 npm packages since April 29, 2026, has taken two escalatory steps:

• Source code release: On May 12, TeamPCP published the full source code of the Shai-Hulud worm, a sophisticated supply-chain attack tool with JavaScript and Python execution paths that autonomously steals developer credentials, exfiltrates encrypted data to attacker-controlled GitHub repos, and self-propagates via stolen OIDC tokens and npm registry access.
• BreachForums contest: The group launched a $1,000 bounty on BreachForums, requiring participants to use the Shai-Hulud tool to compromise open-source packages and submit proof of access alongside their forum ID.

Technical details

• The worm captures valid npm tokens, modifies registry files, injects malicious scripts (e.g., setup.mjs) into the preinstall phase, and publishes compromised packages.
• Exfiltration channels include encrypted JSON commits to Dune-themed GitHub repositories and a dedicated C2 server using Session P2P messenger.
• "Dead-drop" commits using phrases like "OhNoWhatsGoingOnWithGitHub:" serve as base64-encoded token storage.
• Targets include npm tokens, GitHub credentials, AWS keys, Kubernetes secrets, Docker Hub tokens, and AI platform API keys.
• The campaign previously hit SAP CAP packages, TanStack, Mistral AI (@mistralai), UiPath, and PyPI (PyTorch Lightning).

Why it matters

• Open-sourcing the worm dramatically lowers the barrier for less sophisticated threat actors to mount supply-chain attacks.
• The BreachForums contest creates financial incentives for copycats, potentially triggering a sustained spike in package compromise activity.
• AI development environments are particularly vulnerable — they routinely install packages from npm/PyPI, store cloud credentials locally, and run CI/CD pipelines with elevated permissions.
• Security researchers warn that TeamPCP's own actions may become difficult to attribute as copycat campaigns emerge using the same tooling.

What to do

• Audit package-lock.json, yarn.lock, poetry.lock, and requirements.txt for packages published after April 29, 2026.
• Rotate all npm, PyPI, GitHub, AWS, and Kubernetes credentials on affected developer workstations.
• Enable package signing verification (npm provenance, PyPI trusted publishers).
• Monitor CI/CD pipelines for unauthorized package publish events or anomalous token usage.
• Use tools such as Snyk, npm audit, or dependency scanners to check for known malicious versions (e.g., GHSA-g7cv-rxg3-hmpx, CVE-2026-45321).

Sources

• SecurityWeek — TeamPCP Ups the Game, Releases Shai-Hulud Worm's Source Code
• Risky Bulletin — Shai-Hulud Goes Open-Source
• DevOps.com — Widespread Mini Shai-Hulud Campaign Is a Matter of Trust
• CyberPress — Shai-Hulud Worm Steals Developer Secrets Across npm, GitHub, AWS, and Kubernetes