The threat is the "mini" Shai-Hulud supply chain worm, which spreads via compromised developer accounts on npm and PyPI, hijacks IDE and AI agent config files for persistence, and exfiltrates stolen credentials to a C2 server and encrypted GitHub repositories. The source code for this obfuscated malware has been publicly released by TeamPCP, increasing the risk of modified variants being deployed. While the article details the attack vector and method, it does not provide a CVSS score, specific affected software versions, a fixed version, or a workaround.
Critical Infrastructure Security , Supply chain TeamPCP releases ‘vibe coded’ Shai-Hulud source code, issues challenge May 15, 2026 Share By Laura French TeamPCP publicly released the source code for its “mini” Shai-Hulud supply chain worm on Tuesday, issuing a $1,000 challenge to whoever can pull off the “biggest supply chain attack.” Mini Shai-Hulud was used in a recent major supply chain attack wave across npm and PyPI, spreading credential-stealing malware and self-propagating using compromised developer accounts. The campaign has impacted packages from TanStack, Mistal AI, OpenSearch and more. OX Security was one of the first to discover the published source code, shared directly in GitHub repositories from at least two likely compromised accounts. The repos included a note calling the code “A Gift from TeamPCP” and stating “Is it vibe coded? Yes. Does it work? Let results speak.” OX Security Research Team Lead Moshe Siman Tov Bustan told SC Media that his team analyzed the heavily obfuscated malware used in the TanStack attack and compared what they recovered to the newly released code. The released version appears to be the same one used in the recent attacks, which includes logic for hijacking the configuration files of integrated development environments (IDEs) and AI coding agents for persistence, among other similarities, Bustan said. “This also tells an interesting story. Nowadays, with AI, anyone can read and clone code. Even ‘unreadable’ obfuscated code can be turned into source code instantly, which can then be improved and modified. TeamPCP probably did it with the original Shai-Hulud: analyzed it, turned it into source code, then modified it,” Bustan stated. The original Shai-Hulud attack saw two distinct waves in September 2025 and November 2025 , impacting tens of thousands of npm packages including popular projects like tinycolor and even packages owned by the cybersecurity company CrowdStrike. Bustan told SC Media that OX believes the original Shai-Hulud malware was not the work of TeamPCP, but that the new “mini” version takes inspiration from last year’s attacks. For example, the original version used TruffleHog to scan for secrets, which is absent in the new version, and the original only exfiltrated stolen data to GitHub while the new one uses a C2 server in addition to GitHub. TeamPCP’s version also encrypts data published to GitHub, meaning only their private key can be used to decrypt it, while the previous version only used encoding on the published data, Bustan explained. The repositories originally used to publicly release the mini Shai-Hulud source code have been removed by GitHub, although OX observed multiple forked versions being created and modified. A search on GitHub for the phrase “A Gift from TeamPCP” returns no results as of Friday afternoon, suggesting the platform has been fast to remove any new versions of the original repositories. OX confirmed they have yet to see any attacks leveraging the open-sourced Shai-Hulud variant, although TeamPCP has reportedly teamed up with BreachForums to hold a “supply chain attack competition” coinciding with the code’s release. Screenshots from BreachForums published on X by Dark Web Informer show the threat actors offering $1,000 in Monero (XMR) cryptocurrency to “whoever conducts the biggest supply chain attack.” TeamPCP previously teamed up with a nascent ransomware-as-a-service (RaaS) group known as VECT in late April, with VECT reportedly extorting victims affected by TeamPCP’s previous supply chain attacks on Trivy and LiteLLM . VECT also offered all BreachForums members free affiliate access to its VECT 2.0 ransomware, although Check Point researchers described the ransomware as “amateur” and noted it inadvertently destroys most data rather than properly encrypting it. Laura French Related Government security U.S. officials discard items from China trip over security concerns SC Staff May 15, 2026 During a high-level meeting between U.S. officials, including Trump, and the Chinese government led by President Xi Jinping, U.S. personnel were instructed to leave behind items such as burner phones and gifted lapel pins. Critical Infrastructure Security China-linked hackers target Azerbaijani oil firm in multi-wave attack SC Staff May 14, 2026 The attackers exploited a vulnerable Microsoft Exchange Server, specifically the ProxyNotShell chain, to gain initial access. Supply chain RubyGems pauses new account sign-ups amid major malicious attack SC Staff May 13, 2026 The attack has led to the involvement of hundreds of packages, with many directly targeted and some containing exploits. Related Events Cybercast State of Critical Infrastructure Security Thu Jun 11 Cybercast From code to cloud: Stopping attacks in the software supply chain On-Demand Event Virtual Conference Securing the Backbone: Strategies to Counter Cyber Threats to Critical Infrastructure in the Public Sector On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe You can skip this ad in 5 seconds