TeamPCP Releases Shai-Hulud Worm Source Code to Accelerate Supply Chain Attacks
The threat group TeamPCP has escalated its campaign against open-source software supply chains by publicly releasing the full source code of the Shai-Hulud worm — the self-spreading npm attack tool responsible for a wave of package ecosystem compromises throughout April and May 2026. The group is actively encouraging other criminal actors to deploy the code in new supply chain attacks and has offered monetary rewards to operators who successfully use it to compromise high-value targets.
The move transforms what began as a targeted, sophisticated campaign into a democratized threat — any technically capable threat actor can now launch Shai-Hulud-style attacks without needing to develop the tooling from scratch.
What Is Shai-Hulud?
Named after the colossal sandworms of Frank Herbert's Dune, the Shai-Hulud worm is a self-spreading supply chain attack tool that targets npm package ecosystems. Unlike traditional malware that infects end-user machines directly, Shai-Hulud operates by compromising developer environments and package publishing accounts to insert malicious code into legitimate open-source packages.
Core Capabilities
| Capability | Description |
|---|---|
| Self-spreading | Automatically modifies local npm packages and publishes poisoned versions |
| Credential theft | Harvests npm tokens, cloud API keys, SSH keys, and browser credentials |
| Account hijacking | Uses stolen npm publish tokens to take over maintainer accounts |
| Persistence | Installs post-install hooks that survive package updates |
| C2 communication | Reports stolen credentials to TeamPCP-controlled infrastructure |
The "Mini" variant (Mini Shai-Hulud) deployed in recent attacks against TanStack, Mistral AI, and Checkmarx is a stripped-down version optimized for stealth — the full Shai-Hulud code now released publicly includes the complete lateral-movement and self-propagation modules.
Why TeamPCP Released the Code
Security researchers analyzing TeamPCP's communications assess that the group has multiple motivations for open-sourcing the worm:
Maximize Ecosystem Damage: By enabling a larger pool of attackers, TeamPCP amplifies the cumulative damage to npm trust and open-source maintainer confidence far beyond what the group alone could achieve.
Obfuscate Attribution: When dozens of independent actors use the same tooling, incident responders and law enforcement face significantly greater difficulty attributing specific attacks to TeamPCP specifically.
Monetization via Rewards: The group has established what amounts to a bug bounty program in reverse — offering payments to operators who use Shai-Hulud to compromise specified high-value targets (large technology companies, financial institutions, critical infrastructure vendors).
Reputation and Recruitment: Public code releases are a known technique for building criminal reputation on underground forums, attracting collaborators, and demonstrating technical capability.
Packages Compromised in the Shai-Hulud Campaign
Prior to the source code release, TeamPCP's direct Shai-Hulud operations compromised packages across multiple ecosystems:
| Package / Ecosystem | Status |
|---|---|
| TanStack (npm) | Compromised — patched |
| Mistral AI (npm/Python) | Compromised — patched |
| Guardrails AI (Python) | Compromised — patched |
| Checkmarx Jenkins AST plugin | Compromised |
| Bitwarden CLI (npm) | Compromised — patched |
| SAP-related npm packages | Compromised — patched |
| PyTorch Lightning | Compromised — patched |
| Intercom client (npm) | Compromised — patched |
With the source code now public, the list of affected packages is expected to grow rapidly as copycat operators launch independent campaigns.
Elevated Risk to the npm Ecosystem
The npm registry serves over 2.5 million packages and processes more than 40 billion downloads per month. A self-spreading worm with a permissive license to spread is an existential-scale threat to the trust underpinning open-source development.
Key risk amplifiers following the source code release:
- Lower barrier to entry — Actors who previously lacked malware development capability can now run Shai-Hulud campaigns
- Increased volume — Security teams that struggled to keep pace with TeamPCP's targeted attacks will face orders-of-magnitude more incidents
- Variant development — Third parties will modify the source to evade detection signatures developed for the original TeamPCP strain
- PyPI and RubyGems expansion — The worm's architecture is adaptable; expect ports to Python and Ruby package ecosystems
Defensive Recommendations
For Developers
# Lock your dependency versions to prevent unexpected updates
npm shrinkwrap
# or
npm ci # Uses package-lock.json exactly — never resolves newer versions
# Audit new installs before running
npm install --dry-run
npm audit
# Enable npm 2FA for your publish account
npm profile enable-2fa auth-and-writesFor Security Teams
- Monitor for anomalous npm publish activity from developer machines — unexpected package publishes from non-CI endpoints are a key indicator of compromise
- Implement Sigstore/npm Provenance verification — only install packages with cryptographic provenance attestations where possible
- Restrict outbound network from CI/CD runners — Shai-Hulud exfiltrates to external C2 infrastructure; egress filtering breaks the kill chain
- Alert on new postinstall scripts in dependency updates — the worm persists via npm lifecycle hooks
For Package Maintainers
- Enable npm two-factor authentication on all publish-capable accounts immediately
- Audit recent package publish history for unauthorized releases
- Rotate npm automation tokens
- Consider enabling npm package provenance to provide cryptographic attestation of build origin
Response from npm / GitHub
GitHub's npm security team has stated it is actively monitoring for Shai-Hulud-derived packages and has enhanced automated scanning for the worm's characteristic payload patterns. However, security researchers caution that source code availability will accelerate variant development faster than signature-based detection can adapt.
The npm security team encourages maintainers to report suspicious packages at npm/security and has committed to expedited review of reported packages during the elevated threat period.