TeamPCP Open‑Sources the Shai‑Hulud Supply‑Chain Worm

Unlike traditional dependency compromises, the malware behaved as a self‑propagating worm capable of spreading through developer ecosystems once initial packages were installed.

Shortly afterward, researchers reported that TeamPCP published the worm’s complete source code in two GitHub repositories under an MIT license, allowing unrestricted reuse and modification. The repositories were forked rapidly—more than 40 times within hours—demonstrating how quickly such tools can propagate in the open‑source ecosystem.

Why the MIT‑Licensed Release Is Significant

Publishing offensive malware under a permissive open‑source license is unusual and strategically important.

For defenders, access to the real code enables:

• Accurate detection engineering (YARA, Sigma, EDR rules)
• Emulation and sandbox testing of the worm’s behavior
• Verification that CI/CD monitoring systems can detect the attack chain

For attackers, the same transparency lowers barriers to entry. The MIT license permits anyone to fork and modify the code with minimal restrictions, making it easier to adapt the worm to new package ecosystems, platforms, or evasion techniques.

The broader concern is that Shai‑Hulud demonstrates a repeatable pattern for exploiting trusted developer workflows rather than a single isolated exploit.

Core Capabilities of the Shai‑Hulud Worm

Analysis of the campaign and related reports shows that the malware combines multiple advanced supply‑chain techniques.

OIDC Token Theft from CI/CD Pipelines

One of the worm’s most significant capabilities is the ability to extract OpenID Connect (OIDC) tokens from CI/CD pipelines, particularly GitHub Actions workflows used for package publishing.

Instead of relying solely on stolen static credentials, attackers hijacked release pipelines and captured runtime tokens, enabling them to publish malicious packages directly through trusted automation.

Publishing Malicious Packages With Valid Provenance

The attack also undermined a key security assumption in modern software supply chains: signed build provenance.

Researchers reported that compromised packages were published with valid SLSA Build Level 3 provenance attestations, meaning the artifacts appeared to originate from trusted build pipelines even though they contained malware.

This made the packages appear legitimate to many automated verification systems.

Credential Harvesting Across Developer Environments

Once installed, the worm deployed a credential‑stealing payload designed to harvest secrets from developer machines and CI environments. Targeted data reportedly included:

• AWS and other cloud credentials
• SSH private keys
• npm and PyPI publishing tokens
• GitHub personal access tokens
• Kubernetes and Vault secrets

Some reports indicate the malware scanned over 100 common credential storage paths on infected systems.

Self‑Propagation Through the Package Ecosystem

Stolen credentials and hijacked publishing workflows enabled the worm to spread to additional packages automatically, creating a cascading supply‑chain infection across ecosystems.

Destructive “Dead‑Man’s Switch” Behavior

Security analyses also describe a potential destructive fail‑safe or wiper component, meaning compromised systems might face data destruction if certain conditions are triggered.

Because of this possibility, experts warn that compromised developer environments should be treated as fully breached systems.

How This Relates to TeamPCP’s Earlier Attacks

The May 2026 campaign was not the group’s first supply‑chain operation.

Research from the Cloud Security Alliance describes an earlier April 29–30 attack spanning npm, PyPI, and Packagist, affecting roughly 1,800 repositories through exposed credentials and CI/CD misconfigurations.

The later Shai‑Hulud wave represented a significant evolution in technique:

• Earlier attacks relied primarily on stolen registry tokens.
• The May campaign hijacked trusted publishing pipelines and extracted OIDC tokens directly from CI runners.
• The malware added worm‑like self‑propagation across ecosystems.

This progression shows how quickly attackers are adapting to new supply‑chain defenses.

Immediate Risks for Developers and Security Teams

Organizations that installed affected packages during the campaign window face multiple risks.

Security guidance indicates that any environment that installed one of the compromised packages should be treated as potentially compromised, because the worm harvests credentials and persists across developer systems and CI pipelines.

Another key lesson: signed provenance alone does not guarantee safety if the trusted build pipeline itself has been compromised.

Recommended Response Actions

Security teams investigating potential exposure should prioritize several steps:

• Identify all npm and PyPI dependencies installed or built since May 11, 2026.
• Rebuild projects from clean environments and known‑good lockfiles.
• Rotate all developer, CI/CD, cloud, and registry credentials.
• Audit GitHub Actions or other CI workflows for unauthorized modifications or publishing events.
• Restrict package publishing to hardened runners with least‑privilege OIDC permissions.

Organizations should also monitor for new variants, as the public release of the worm’s source code increases the likelihood of modified or copycat attacks emerging in the open‑source ecosystem.

A Turning Point for Supply‑Chain Security

The Shai‑Hulud incident highlights a growing shift in software supply‑chain attacks: adversaries are targeting developer workflows themselves, not just vulnerable dependencies.

By open‑sourcing the worm that powered a large cross‑ecosystem compromise, TeamPCP effectively turned a real attack into a blueprint—one that both defenders and attackers can now study in detail. The race to understand and defend against that blueprint is already underway.