Skip to main content
Sign in
Shai-Hulud / TeamPCP Supply Chain Attack1 decision on this page

Audit log

Every state-changing event for Shai-Hulud / TeamPCP Supply Chain Attack: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-02 20:05:03Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 423,878,428
    sig
    wkby7P35Mkme…9ULk4mchexplorer ↗
    hash
    BcLDNkm3DoLs…6nPUebgmsha256 → base58
    verifying row…full verify ↗
    canonical bytes (43922 B) ▸
    {"actor":"system:backfill","investigation_id":"e1075e99-3a81-4c83-a3ee-8104ee20a1dc","kind":"publish","page_slug":"shai-hulud-teampcp-supply-chain-attack","published_at":"2026-06-02T20:05:03.713Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Shai-Hulud / TeamPCP Supply Chain Attack","sections":[{"content":"Shai-Hulud is a worm-based supply chain malware family targeting the npm and PyPI open-source package ecosystems. The campaign is attributed to TeamPCP, a financially motivated, cloud-native cybercriminal group first tracked in late 2025. TeamPCP operates under multiple confirmed aliases: PCPcat (their first documented campaign name), ShellForce (their data-leak publication persona), DeadCatx3 (a GitHub account hosting attacker tooling), CipherForce (their proprietary ransomware brand), and Persy_PCP. Google's Threat Intelligence Group independently tracks the group as UNC6780. The campaign has been corroborated by multiple independent security firms including Unit 42 (Palo Alto Networks), StepSecurity, ReversingLabs, Snyk, Wiz, and the SANS Internet Storm Center. The group's cultural markers — branch names drawn from Frank Herbert's Dune universe (fremen, sandworm, harkonnen, atreides, melange) — are consistent across all documented wave iterations, supporting unified attribution. TeamPCP operates under an industrialized ransomware partnership with the Vect Ransomware Group, formally announced via BreachForums, providing initial access via compromised supply chain packages while Vect supplies encryption and extortion tooling.","heading":"Campaign Overview and Attribution","severity":"critical","sources":[{"credibility":2,"name":"TeamPCP - Cloud Threat Landscape (Wiz)","type":"research","url":"https://threats.wiz.io/all-actors/teampcp"},{"credibility":1,"name":"Weaponizing the Protectors: TeamPCP's Multi-Stage Supply Chain Attack on Security Infrastructure (Unit 42)","type":"research","url":"https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/"},{"credibility":2,"name":"Dark Web Profile: TeamPCP (SOCRadar)","type":"research","url":"https://socradar.io/blog/dark-web-profile-teampcp/"},{"credibility":2,"name":"Threat Alert: TeamPCP, An Emerging Force in the Cloud Native and Ransomware Landscape (Flare)","type":"research","url":"https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware"},{"credibility":2,"name":"Vect formalizes BreachForums and TeamPCP alliance (Industrial Cyber)","type":"news_article","url":"https://industrialcyber.co/ransomware/vect-formalizes-breachforums-and-teampcp-alliance-to-push-model-for-industrialized-ransomware-scale-raas-operations/"}]},{"content":"The original Shai-Hulud worm was first detected in September 2025 and marked what security researchers described as \"the end of the nuisance era of npm attacks\" by demonstrating that self-replicating malware could automate the compromise and redistribution of legitimate packages at scale. The worm operates through malicious preinstall lifecycle hooks embedded in poisoned npm packages. Upon installation, a script named set_bun.js executes before any security checks; it downloads the Bun JavaScript runtime and runs bun_environment.js, which deploys a GitHub Actions runner masquerading under the name SHA1HULUD. The runner then uses TruffleHog to harvest stored cloud credentials, npm tokens, and GitHub personal access tokens (PATs). Stolen credentials are used to publish compromised versions of every additional package the victim account maintains, enabling exponential spread. The initial campaign ultimately led to more than 500 npm packages being compromised and credentials being harvested from upwards of 25,000 GitHub repositories. The worm's primary financial targeting focus is on developer workstations and CI/CD pipelines with access to cryptocurrency infrastructure.","heading":"Original Shai-Hulud Worm (September 2025)","severity":"critical","sources":[{"credibility":1,"name":"The npm Threat Landscape: Attack Surface and Mitigations (Unit 42)","type":"research","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"},{"credibility":2,"name":"Shai-Hulud Worm Steals npm, GitHub, AWS, and Kubernetes Secrets From Developers (CybersecurityNews)","type":"news_article","url":"https://cybersecuritynews.com/shai-hulud-worm-steals-npm/"},{"credibility":1,"name":"Microsoft Security Blog: Shai-Hulud 2.0 Guidance (December 9, 2025)","type":"other","url":"https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/"}]},{"content":"A second variant, Shai-Hulud 2.0, emerged in November 2025 with substantially expanded capabilities. Malicious activity was detected between approximately November 24 and December 1, 2025; at peak activity on November 24, more than 640 additional npm packages were infected within days and more than 25,000 data-leaking GitHub repositories were created. Microsoft published formal detection and defense guidance on December 9, 2025. The 2.0 variant retained the set_bun.js preinstall hook mechanism and GitHub Actions runner impersonation (SHA1HULUD) but added improved TruffleHog-based credential harvesting and infrastructure obfuscation using Cloudflare Tunnels and typosquatted domains. Notable organizations whose developer tooling was affected during this wave included Zapier, PostHog, and Postman, among others. The campaign's operator infrastructure during this wave made use of bulletproof hosting; command-and-control domains were later identified as resolving to IP addresses associated with Stark Industries Solutions, a provider with documented ties to Russian-nexus threat actors. Attribution to TeamPCP specifically by Microsoft was not confirmed in their December 2025 guidance, though subsequent research by Unit 42 and StepSecurity linked the November–December wave to the same actor.","heading":"Shai-Hulud 2.0 (November–December 2025) and Microsoft Guidance","severity":"critical","sources":[{"credibility":1,"name":"Microsoft Security Blog: Shai-Hulud 2.0 — Guidance for Detecting, Investigating, and Defending Against the Supply Chain Attack","type":"other","url":"https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/"},{"credibility":2,"name":"SecurityWeek: Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist","type":"news_article","url":"https://www.securityweek.com/shai-hulud-supply-chain-attack-led-to-8-5-million-trust-wallet-heist/"}]},{"content":"The most significant documented financial outcome of the Shai-Hulud campaign is the compromise of the Trust Wallet Chrome browser extension version 2.68. During the Shai-Hulud 2.0 wave in November 2025, attackers obtained Trust Wallet developer GitHub secrets, including a Chrome Web Store (CWS) API key. Using this key, threat actors bypassed Trust Wallet's standard internal release process — which requires manual internal approval — and on December 24, 2025 at approximately 12:32 PM UTC published a malicious extension build (v2.68) directly to the Chrome Web Store. The malicious build inserted backdoor code that, upon every wallet unlock event, called GET_SEED_PHRASE across all configured wallets and packed the resulting mnemonic phrases into the errorMessage field of what appeared to be standard PostHog analytics telemetry. This data was transmitted to an attacker-controlled domain, api.metrics-trustwallet[.]com (the domain metrics-trustwallet.com having been registered on December 8, 2025). The attackers also redirected PostHog analytics traffic to their own infrastructure to facilitate exfiltration while appearing as routine telemetry. The active exfiltration window ran until 11:00 UTC on December 26, 2025, a period of approximately 46.5 hours. Total reported losses: approximately $8.5 million across 2,520 affected wallet addresses, with stolen funds traced to at least 17 attacker-controlled addresses. SlowMist's on-chain analysis identified approximately 33 BTC (approximately $3 million), approximately $3 million in Ethereum and Layer-2 assets, and approximately $431 in Solana. Attackers subsequently used multiple centralized exchanges and cross-chain bridges to move and obscure stolen funds. Trust Wallet deployed a clean version 2.69 and initiated a voluntary reimbursement process, though the company reported receiving over 5,000 claims against a confirmed victim set of 2,520 wallets, indicating substantial fraudulent claim attempts. Command-and-control infrastructure resolved to IP 138.124.70.40, hosted by Stark Industries Solutions.","heading":"Trust Wallet Chrome Extension Hack (December 24–26, 2025)","severity":"critical","sources":[{"credibility":2,"name":"Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack (The Hacker News)","type":"news_article","url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html"},{"credibility":1,"name":"Trust Wallet Browser Extension v2.68 Incident: An Update to Our Community (Trust Wallet official)","type":"official","url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"credibility":2,"name":"Christmas Heist | Analysis of Trust Wallet Browser Extension Hack (SlowMist)","type":"research","url":"https://slowmist.medium.com/christmas-heist-analysis-of-trust-wallet-browser-extension-hack-bdb35c3cc6dd"},{"credibility":2,"name":"Explained: The Trust Wallet Hack (December 2025) (Halborn)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-trust-wallet-hack-december-2025"},{"credibility":1,"name":"Users of Binance-owned Trust Wallet lose $7 million to hacked Chrome extension (CoinDesk)","type":"news_article","url":"https://www.coindesk.com/business/2025/12/26/trust-wallet-users-lose-more-than-usd7-million-to-hacked-chrome-extension"},{"credibility":2,"name":"SecurityWeek: Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist","type":"news_article","url":"https://www.securityweek.com/shai-hulud-supply-chain-attack-led-to-8-5-million-trust-wallet-heist/"}]},{"content":"A third variant, dubbed Shai-Hulud 3.0 \"The Golden Path,\" was discovered by security researcher Charlie Eriksen on December 28, 2025 — two days after the Trust Wallet exfiltration window closed. The variant was identified propagating through the malicious npm package @vietmoney/react-big-calendar@0.26.2. The 3.0 variant retained core credential-harvesting and self-propagation mechanics from prior versions but introduced several technical modifications: enhanced obfuscation and improved cross-platform compatibility, particularly targeting Windows environments and the Bun runtime. Notably, the dead-man's switch present in earlier variants — which triggered rm -rf ~/ upon token revocation to frustrate forensic investigation — was absent, suggesting a deliberate operational change toward sustained, lower-profile exfiltration rather than destructive denial. Repositories created by this variant use a distinct marker string: \"Goldox-T3chs: Only Happy Girl.\" At time of discovery no evidence of a broad infection campaign was found; researchers assessed it as likely representing an actor preparing tooling for future operations.","heading":"Shai-Hulud 3.0 \"The Golden Path\" (December 28, 2025)","severity":"high","sources":[{"credibility":2,"name":"The Holiday Whisper: Shai-Hulud 3.0 (Snyk)","type":"research","url":"https://snyk.io/blog/shai-hulud-3-0/"},{"credibility":2,"name":"Guess Who's Back: Shai-Hulud 3.0 The Golden Path (Kodem Security)","type":"research","url":"https://www.kodemsecurity.com/resources/guess-whos-back-shai-hulud-3-0-the-golden-path"},{"credibility":2,"name":"New Shai-Hulud 3.0 malware variant discovered (Cybernews)","type":"news_article","url":"https://cybernews.com/security/shai-hulud-malware-3rd-variant-detected-supply-chain-threat/"}]},{"content":"On April 22, 2026, TeamPCP compromised @bitwarden/cli@2026.4.0 via a backdoored Checkmarx GitHub Actions workflow (checkmarx/ast-github-action). The malicious version was available on npm between approximately 5:57 PM and 7:30 PM ET — a window of roughly 93 minutes — before Bitwarden identified and removed it. An estimated 334 downloads of the malicious version occurred. The embedded payload included the self-referential string \"Shai-Hulud: The Third Coming\" and functioned identically to prior Shai-Hulud variants: harvesting npm tokens, GitHub PATs, SSH keys, and CI/CD secrets, then uploading them encrypted to public GitHub repositories. Bitwarden stated that no end user vault data was accessed and that production systems were unaffected; the compromise was limited to the npm distribution mechanism for the CLI during that window. The attack also affected Checkmarx distribution channels across Docker Hub, GitHub Actions, and VS Code extensions. The broader Checkmarx breach enabled the initial foothold through the poisoned GitHub Actions dependency.","heading":"Bitwarden CLI Compromise and Checkmarx Breach (April 22, 2026)","severity":"high","sources":[{"credibility":2,"name":"Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign (The Hacker News)","type":"news_article","url":"https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html"},{"credibility":2,"name":"Bitwarden CLI Compromised in 'Shai-Hulud' Supply Chain Attack; 334 Developers Exposed (Techloy)","type":"news_article","url":"https://www.techloy.com/bitwarden-cli-compromised-in-shai-hulud-supply-chain-attack-334-developers-exposed/"},{"credibility":2,"name":"Bitwarden NPM Package Hit in Supply Chain Attack (SecurityWeek)","type":"news_article","url":"https://www.securityweek.com/bitwarden-npm-package-hit-in-supply-chain-attack/"},{"credibility":2,"name":"Bitwarden CLI Hijacked in npm Supply Chain Attack Linked to TeamPCP and Checkmarx Breach (SOCRadar)","type":"research","url":"https://socradar.io/blog/bitwarden-cli-hijacked-npm-supply-chain-teampcp/"}]},{"content":"On April 29, 2026, a variant designated Mini Shai-Hulud targeted the SAP Cloud Application Programming (CAP) ecosystem via four npm packages: @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt. The combined weekly download count for the four affected packages was approximately 570,000. The attack mechanism mirrored prior Shai-Hulud campaigns: malicious preinstall hooks executing credential harvesting and self-propagation payloads. This wave was documented by Unit 42 and is included in Wiz's ongoing TeamPCP campaign tracking as a precursor to the larger TanStack attack that followed twelve days later.","heading":"Mini Shai-Hulud Wave 1: SAP Ecosystem (April 29, 2026)","severity":"high","sources":[{"credibility":2,"name":"TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack (Dark Reading)","type":"news_article","url":"https://www.darkreading.com/cloud-security/teampcp-sap-packages-mini-shai-hulud"},{"credibility":1,"name":"The npm Threat Landscape: Attack Surface and Mitigations (Unit 42, updated May 21)","type":"research","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"}]},{"content":"On May 11, 2026 between 19:20 and 19:26 UTC, TeamPCP executed a coordinated attack against the TanStack open-source ecosystem via a three-stage exploit chain against TanStack's GitHub Actions CI/CD pipeline. Stage one exploited a pull_request_target workflow misconfiguration (a \"pwn request\") to execute attacker-controlled fork code in the base repository's security context. Stage two poisoned the pnpm package store cache using a pre-computed cache key that legitimate release workflows would subsequently retrieve. Stage three extracted a GitHub Actions OIDC token from runner process memory by reading /proc/*/cmdline, then exchanged it for npm publishing credentials to publish 84 malicious package versions across 42 @tanstack/* packages — including @tanstack/react-router (approximately 12.7 million weekly downloads) — in six minutes. The campaign then propagated via stolen maintainer credentials to additional ecosystems: @uipath (60+ packages), @mistralai (npm and PyPI: mistralai 2.4.6), @draftlab, guardrails-ai (PyPI 0.10.1, CVSS 9.6, CVE-2026-45321), and numerous others. By end of the 48-hour window ending May 12, 2026, 172 unique packages across 403–404 malicious versions spanning npm and PyPI had been confirmed compromised, with cumulative weekly downloads across affected packages exceeding 518 million. The malicious payload (router_init.js, 2.3 MB, SHA-256: ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c) used three obfuscation layers and exfiltrated data via the Session/Oxen P2P network through filev2.getsession.org. Persistence hooks targeted .claude/settings.json (Claude Code session hooks), .vscode/tasks.json, macOS LaunchAgent gh-token-monitor, and Linux systemd user services. Dead-drop C2 used GitHub's public commit search API with commits authored as claude@users.noreply.github.com. This wave represented the first documented npm worm producing packages with valid SLSA Build Level 3 provenance attestations, demonstrating that process integrity controls can be defeated when the legitimate build pipeline itself is hijacked. The attacker's GitHub account voicproducoes (ID 269549300, created March 19, 2026) hosted the malicious fork containing the @tanstack/setup payload (malicious commit: 79ac49eedf774dd4b0cfa308722bc463cfe5885c). CVE-2026-45321 was assigned to the TanStack compromise with a CVSS score of 9.6.","heading":"Mini Shai-Hulud Wave 2: TanStack, Mistral AI, UiPath (May 11–12, 2026)","severity":"critical","sources":[{"credibility":2,"name":"Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages (The Hacker News)","type":"news_article","url":"https://thehackernews.com/2026/05/mini-shai-hulud-worm-compromises.html"},{"credibility":2,"name":"TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages (StepSecurity)","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"credibility":2,"name":"TanStack npm Packages Hit by Mini Shai-Hulud (Snyk)","type":"research","url":"https://snyk.io/blog/tanstack-npm-packages-compromised/"},{"credibility":2,"name":"Mini Shai-Hulud Wave Hits 172 npm and PyPI Packages (Mend.io)","type":"research","url":"https://www.mend.io/blog/mini-shai-hulud-is-back-172-npm-and-pypi-packages-compromised-in-latest-wave/"},{"credibility":2,"name":"Mini Shai-Hulud Supply Chain Attack CVE-2026-45321 FAQ (Tenable)","type":"research","url":"https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions"},{"credibility":2,"name":"Mini Shai-Hulud: Cross-ecosystem supply chain worm targeting npm and PyPI (Expel)","type":"research","url":"https://expel.com/blog/mini-shai-hulud-cross-ecosystem-supply-chain-worm-targeting-npm-pypi/"},{"credibility":2,"name":"Team PCP's Mini Shai-Hulud tears at open-source trust (ReversingLabs)","type":"research","url":"https://www.reversinglabs.com/blog/mini-shai-hulud-tears-at-oss-trust"}]},{"content":"On May 12–13, 2026, TeamPCP published the complete Shai-Hulud source code to GitHub under an MIT License with the message: \"Shai-Hulud: Open Sourcing The Carnage. Is it vibe coded? Yes. Does it work? Let results speak. — Love, TeamPCP.\" The repository included instructions directing potential adopters to \"Change keys and C2 as needed.\" The framework is a modular TypeScript/Bun toolkit implementing credential harvesting, supply chain poisoning, and encrypted exfiltration targeting CI/CD pipelines and developer workstations. Two repositories were published; they remained online for at least 12 hours before GitHub moderation intervened. Forks grew rapidly: one repository accrued 31 forks within hours of publication. Security firm OX Security confirmed copycat npm packages from independent threat actors deploying Shai-Hulud clones within days of the release. One GitHub account (agwagwagwa) submitted a pull request to the malware repository adding FreeBSD support, expanding the potential target surface. Researchers at Mondoo and Datadog published static analysis of the open-sourced framework. The open-sourcing is assessed by analysts as a deliberate \"capability diffusion\" move designed to multiply independent deployers beyond TeamPCP's own operations, complicating attribution of future wave activity.","heading":"Open-Sourcing of the Shai-Hulud Worm (May 12–13, 2026)","severity":"critical","sources":[{"credibility":1,"name":"Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub (The Register)","type":"news_article","url":"https://www.theregister.com/security/2026/05/13/malware-crew-teampcp-open-sources-its-shai-hulud-worm-on-github/5239319"},{"credibility":2,"name":"Shai-Hulud Goes Open Source: Malware Creators Leak Their Own Code to GitHub (OX Security)","type":"research","url":"https://www.ox.security/blog/shai-hulud-open-source-malware-github/"},{"credibility":2,"name":"Shai-Hulud Goes Open Source (Datadog Security Labs)","type":"research","url":"https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/"},{"credibility":2,"name":"When Worm Source Code Goes Open Source: The Shai-Hulud Clones Arrive (Mondoo)","type":"research","url":"https://mondoo.com/blog/shai-hulud-clones-arrive-when-worm-source-code-goes-open-source"}]},{"content":"On May 19, 2026, a compromised @antv maintainer account was used to publish 639 malicious package versions across 323 packages in approximately 22 minutes — the largest single-hour package count of any documented Shai-Hulud wave, representing approximately 16 million combined weekly downloads. The attack used the same automated credential-exploitation and bulk-publishing pipeline as prior waves. Snyk and Wiz published detailed analysis of this wave.","heading":"Mini Shai-Hulud Wave 3: AntV Ecosystem (May 19, 2026)","severity":"critical","sources":[{"credibility":2,"name":"Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account (Snyk)","type":"research","url":"https://snyk.io/blog/mini-shai-hulud-antv-npm-supply-chain-attack/"},{"credibility":2,"name":"The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave (Wiz Blog)","type":"research","url":"https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain"}]},{"content":"TeamPCP has operated a formal partnership with the Vect Ransomware Group, announced publicly on BreachForums and confirmed by Dataminr and Industrial Cyber on approximately April 16, 2026. Under this model, TeamPCP provides initial access via compromised supply chain packages and harvested credentials; Vect provides encryption and extortion tooling; BreachForums serves as operational infrastructure for affiliate management, escrow, and key distribution. VECT 2.0 ransomware was separately documented as containing a bug that unintentionally destroys files larger than 128 KB, rendering ransom payment ineffective for enterprise victims. The SANS Internet Storm Center and others reported that Databricks, the cloud data analytics platform, was investigating an alleged security compromise linked to TeamPCP credential harvesting as of late March–April 2026. An AstraZeneca data breach of approximately 3 GB was alleged by LAPSUS$ as stemming from TeamPCP-harvested credentials; AstraZeneca had not confirmed this claim at time of reporting. These enterprise victim claims remain alleged pending official confirmation.","heading":"Vect Ransomware Partnership and Enterprise Victim Claims","severity":"critical","sources":[{"credibility":2,"name":"TeamPCP Supply Chain Campaign: Update 004 — Databricks Investigating Alleged Compromise (SANS ISC)","type":"research","url":"https://isc.sans.edu/diary/32846"},{"credibility":2,"name":"Vect formalizes BreachForums and TeamPCP alliance (Industrial Cyber)","type":"news_article","url":"https://industrialcyber.co/ransomware/vect-formalizes-breachforums-and-teampcp-alliance-to-push-model-for-industrialized-ransomware-scale-raas-operations/"},{"credibility":2,"name":"Cyber Intel Brief: Vect, BreachForums, and TeamPCP Converge (Dataminr)","type":"research","url":"https://www.dataminr.com/resources/intel-brief/vect-breachforums-teampcp-converge-in-unprecedented-affiliate-mobilizatio/"},{"credibility":1,"name":"Don't pay VECT a ransom - your big files are likely gone (The Register)","type":"news_article","url":"https://www.theregister.com/2026/04/28/dont_pay_vect_a_ransom/"},{"credibility":2,"name":"VECT 2.0: Paying the Ransom Cannot Recover Enterprise Data (Cloud Security Alliance Labs)","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-vect2-ransomware-wiper-unrecoverable-20260/"}]},{"content":"Across all documented waves, the Shai-Hulud worm family employs a consistent multi-stage architecture. Initial compromise occurs via one or more of: (1) malicious npm packages with preinstall hooks executing set_bun.js; (2) GitHub Actions workflow poisoning via pull_request_target misconfiguration (pwn request); (3) GitHub Actions cache poisoning using pre-computed cache keys. The Bun JavaScript runtime is deployed as a stealth execution layer, avoiding Node.js introspection. GitHub Actions runners are impersonated under the SHA1HULUD persona to exfiltrate data. TruffleHog is used to enumerate and extract secrets from CI/CD runner environments. Stolen npm tokens with 2FA bypass capability are used for bulk malicious package publication. The May 2026 waves added OIDC token extraction from runner memory via /proc/{pid}/mem, expanding the attack surface to organizations using keyless signing. Exfiltration in the May 2026 waves used the Session/Oxen P2P network (filev2.getsession.org) and GitHub dead-drop commits authored as claude@users.noreply.github.com. Key IOCs include: C2 domain metrics-trustwallet[.]com (Trust Wallet wave); campaign encryption key 0c0e873033875f1bc471eda37e3b9d0f9b89bd41a4bbb4f86746caa2176c40aa (TanStack wave); malicious payload SHA-256 ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c (router_init.js); GitHub account voicproducoes (ID 269549300); repository description marker \"Goldox-T3chs: Only Happy Girl\" (3.0 variant); persistence paths .claude/settings.json and .vscode/tasks.json. The worm targets over 100 file paths across cloud providers (AWS IMDS/ECS metadata, GCP, Azure), HashiCorp Vault, Kubernetes configs, and workstation wallet files including Electrum.","heading":"Technical Attack Mechanism and Indicators of Compromise","severity":"critical","sources":[{"credibility":2,"name":"TanStack npm Packages Hit by Mini Shai-Hulud (Snyk — technical deep-dive)","type":"research","url":"https://snyk.io/blog/tanstack-npm-packages-compromised/"},{"credibility":1,"name":"Microsoft Security Blog: Shai-Hulud 2.0 Guidance","type":"other","url":"https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/"},{"credibility":2,"name":"Mini Shai-Hulud: Cross-ecosystem supply chain worm targeting npm and PyPI (Expel)","type":"research","url":"https://expel.com/blog/mini-shai-hulud-cross-ecosystem-supply-chain-worm-targeting-npm-pypi/"},{"credibility":2,"name":"Shai-Hulud Part 2: When the Worm Forged Its Own Security Certificate (Vectra)","type":"research","url":"https://www.vectra.ai/blog/shai-hulud-part-2-when-the-worm-forged-its-own-security-certificate"}]},{"content":"The Trust Wallet Chrome extension compromise demonstrates that the primary monetization vector for Shai-Hulud credential harvests is cryptocurrency theft. The worm's target file list includes Electrum wallet files on developer workstations. The C2 infrastructure used in the Trust Wallet wave (metrics-trustwallet[.]com, api.metrics-trustwallet[.]com) was tailored specifically to impersonate a cryptocurrency wallet's analytics infrastructure, suggesting premeditated targeting of the Trust Wallet developer environment. SlowMist's on-chain analysis of the December 2025 heist traced stolen assets through cross-chain bridges and centralized exchanges, consistent with professional money-laundering tradecraft. No law enforcement actions or asset freezes have been publicly confirmed as of the research date. The open-sourcing of the worm source code in May 2026 materially expands the population of threat actors capable of targeting cryptocurrency infrastructure via developer supply chain compromise.","heading":"Broader Crypto Targeting","severity":"critical","sources":[{"credibility":2,"name":"Christmas Heist | Analysis of Trust Wallet Browser Extension Hack (SlowMist)","type":"research","url":"https://slowmist.medium.com/christmas-heist-analysis-of-trust-wallet-browser-extension-hack-bdb35c3cc6dd"},{"credibility":3,"name":"Trust Wallet Chrome Extension Hack: $8.5 Million Stolen via v2.68 (H2S Media)","type":"news_article","url":"https://www.how2shout.com/news/trust-wallet-chrome-extension-hack-8-5-million-stolen-v2-68-2025.html"}]},{"content":"Following the open-sourcing of the Shai-Hulud framework on May 12–13, 2026, OX Security detected four malicious npm packages from threat actors independent of TeamPCP deploying Shai-Hulud clones. On approximately June 1, 2026, at least 32 packages in the @redhat-cloud-services npm namespace were reported compromised via a backdoored GitHub Actions workflow distributing malware named Miasma, which Unit 42 and SANS ISC assessed as a Shai-Hulud derivative. The open-sourced framework is described as a modular TypeScript/Bun toolkit for credential harvesting, supply chain poisoning, and encrypted exfiltration, enabling rapid adaptation by actors with limited development capability. The NHS England Digital Cyber Alerts service issued advisory CC-4781 covering the Mini Shai-Hulud supply chain campaign, reflecting the breadth of the risk to enterprise software supply chains beyond the crypto sector. The risk of future waves — both from TeamPCP and from the growing population of copycat actors — is assessed as high given the open availability of attack tooling and the continuing prevalence of exploitable pull_request_target misconfiguration patterns across open-source repositories.","heading":"Copycat Threat and Ongoing Risk (May–June 2026)","severity":"high","sources":[{"credibility":2,"name":"Shai-Hulud Goes Open Source: Malware Creators Leak Their Own Code to GitHub (OX Security)","type":"research","url":"https://www.ox.security/blog/shai-hulud-open-source-malware-github/"},{"credibility":1,"name":"Supply Chain Attack Affecting Numerous npm and PyPI Packages (NHS England Digital — Cyber Alert CC-4781)","type":"regulatory","url":"https://digital.nhs.uk/cyber-alerts/2026/cc-4781"},{"credibility":2,"name":"Mini Shai-Hulud: Frequently Asked Questions about the TeamPCP npm and PyPI Supply Chain Campaign (Security Boulevard)","type":"research","url":"https://securityboulevard.com/2026/05/mini-shai-hulud-frequently-asked-questions-about-the-teampcp-npm-and-pypi-supply-chain-campaign/"}]}],"sources_used":[{"credibility":2,"name":"Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack (The Hacker News)","type":"news_article","url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html"},{"credibility":1,"name":"Trust Wallet Browser Extension v2.68 Incident: An Update to Our Community (Trust Wallet official blog)","type":"official","url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"credibility":1,"name":"Microsoft Security Blog: Shai-Hulud 2.0 — Guidance for Detecting, Investigating, and Defending Against the Supply Chain Attack","type":"other","url":"https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/"},{"credibility":2,"name":"SecurityWeek: Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist","type":"news_article","url":"https://www.securityweek.com/shai-hulud-supply-chain-attack-led-to-8-5-million-trust-wallet-heist/"},{"credibility":2,"name":"Christmas Heist | Analysis of Trust Wallet Browser Extension Hack (SlowMist)","type":"research","url":"https://slowmist.medium.com/christmas-heist-analysis-of-trust-wallet-browser-extension-hack-bdb35c3cc6dd"},{"credibility":2,"name":"Explained: The Trust Wallet Hack (December 2025) (Halborn)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-trust-wallet-hack-december-2025"},{"credibility":1,"name":"Users of Binance-owned Trust Wallet lose $7 million to hacked Chrome extension (CoinDesk)","type":"news_article","url":"https://www.coindesk.com/business/2025/12/26/trust-wallet-users-lose-more-than-usd7-million-to-hacked-chrome-extension"},{"credibility":2,"name":"TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages (StepSecurity)","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"credibility":2,"name":"TanStack npm Packages Hit by Mini Shai-Hulud (Snyk)","type":"research","url":"https://snyk.io/blog/tanstack-npm-packages-compromised/"},{"credibility":2,"name":"Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages (The Hacker News)","type":"news_article","url":"https://thehackernews.com/2026/05/mini-shai-hulud-worm-compromises.html"},{"credibility":1,"name":"The npm Threat Landscape: Attack Surface and Mitigations (Unit 42, updated May 21, 2026)","type":"research","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"},{"credibility":1,"name":"Weaponizing the Protectors: TeamPCP's Multi-Stage Supply Chain Attack on Security Infrastructure (Unit 42)","type":"research","url":"https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/"},{"credibility":2,"name":"Team PCP's Mini Shai-Hulud tears at open-source trust (ReversingLabs)","type":"research","url":"https://www.reversinglabs.com/blog/mini-shai-hulud-tears-at-oss-trust"},{"credibility":2,"name":"Mini Shai-Hulud Supply Chain Attack CVE-2026-45321 FAQ (Tenable)","type":"research","url":"https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions"},{"credibility":2,"name":"Mini Shai-Hulud Wave Hits 172 npm and PyPI Packages (Mend.io)","type":"research","url":"https://www.mend.io/blog/mini-shai-hulud-is-back-172-npm-and-pypi-packages-compromised-in-latest-wave/"},{"credibility":2,"name":"Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account (Snyk)","type":"research","url":"https://snyk.io/blog/mini-shai-hulud-antv-npm-supply-chain-attack/"},{"credibility":2,"name":"The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave (Wiz)","type":"research","url":"https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain"},{"credibility":1,"name":"Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub (The Register)","type":"news_article","url":"https://www.theregister.com/security/2026/05/13/malware-crew-teampcp-open-sources-its-shai-hulud-worm-on-github/5239319"},{"credibility":2,"name":"Shai-Hulud Goes Open Source: Malware Creators Leak Their Own Code to GitHub (OX Security)","type":"research","url":"https://www.ox.security/blog/shai-hulud-open-source-malware-github/"},{"credibility":2,"name":"Shai-Hulud Goes Open Source — static analysis (Datadog Security Labs)","type":"research","url":"https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/"},{"credibility":2,"name":"The Holiday Whisper: Shai-Hulud 3.0 (Snyk)","type":"research","url":"https://snyk.io/blog/shai-hulud-3-0/"},{"credibility":2,"name":"TeamPCP - Cloud Threat Landscape (Wiz Threat Actors)","type":"research","url":"https://threats.wiz.io/all-actors/teampcp"},{"credibility":2,"name":"TeamPCP Supply Chain Campaign: Update 004 — Databricks Investigating Alleged Compromise (SANS ISC)","type":"research","url":"https://isc.sans.edu/diary/32846"},{"credibility":2,"name":"Vect formalizes BreachForums and TeamPCP alliance to push model for industrialized ransomware (Industrial Cyber)","type":"news_article","url":"https://industrialcyber.co/ransomware/vect-formalizes-breachforums-and-teampcp-alliance-to-push-model-for-industrialized-ransomware-scale-raas-operations/"},{"credibility":1,"name":"Don't pay VECT a ransom — your big files are likely gone (The Register)","type":"news_article","url":"https://www.theregister.com/2026/04/28/dont_pay_vect_a_ransom/"},{"credibility":2,"name":"Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign (The Hacker News)","type":"news_article","url":"https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html"},{"credibility":1,"name":"Supply Chain Attack Affecting Numerous npm and PyPI Packages (NHS England Digital — Cyber Alert CC-4781)","type":"regulatory","url":"https://digital.nhs.uk/cyber-alerts/2026/cc-4781"},{"credibility":2,"name":"Mini Shai-Hulud: Frequently Asked Questions about the TeamPCP npm and PyPI Supply Chain Campaign (Security Boulevard)","type":"research","url":"https://securityboulevard.com/2026/05/mini-shai-hulud-frequently-asked-questions-about-the-teampcp-npm-and-pypi-supply-chain-campaign/"},{"credibility":2,"name":"TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack (Dark Reading)","type":"news_article","url":"https://www.darkreading.com/cloud-security/teampcp-sap-packages-mini-shai-hulud"},{"credibility":2,"name":"Mini Shai-Hulud: The Worm Returns and Goes Public (Akamai)","type":"research","url":"https://www.akamai.com/blog/security-research/mini-shai-hulud-worm-returns-goes-public"},{"credibility":2,"name":"Mini Shai-Hulud: Cross-ecosystem supply chain worm targeting npm and PyPI (Expel)","type":"research","url":"https://expel.com/blog/mini-shai-hulud-cross-ecosystem-supply-chain-worm-targeting-npm-pypi/"}],"summary":"Shai-Hulud is a self-replicating supply chain worm attributed to the financially motivated threat group TeamPCP (also tracked as DeadCatx3, PCPcat, ShellForce, CipherForce, and UNC6780 by Google's Threat Intelligence Group). Active since September 2025, the campaign has compromised hundreds of npm and PyPI packages by harvesting CI/CD credentials through malicious preinstall lifecycle hooks, directly enabling the Trust Wallet Chrome extension hack of December 2025 in which approximately $8.5 million was stolen from 2,520 wallets. As of June 2026, the campaign remains active through copycat variants following TeamPCP's public open-sourcing of the worm's source code on May 12–13, 2026.","timeline":[{"date":"2025-09-01","event":"Original Shai-Hulud worm first detected in the npm ecosystem; 500+ packages compromised via malicious preinstall hooks; credentials harvested from 25,000+ GitHub repositories.","source":"Unit 42 / The npm Threat Landscape","source_url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"},{"date":"2025-11-24","event":"Shai-Hulud 2.0 peak activity: 640+ npm packages infected within days; 25,000+ data-leaking GitHub repositories created; Zapier, PostHog, and Postman developer tooling among affected parties.","source":"SecurityWeek","source_url":"https://www.securityweek.com/shai-hulud-supply-chain-attack-led-to-8-5-million-trust-wallet-heist/"},{"date":"2025-12-08","event":"Attacker registers domain metrics-trustwallet[.]com in preparation for Trust Wallet extension compromise.","source":"SlowMist Christmas Heist Analysis","source_url":"https://slowmist.medium.com/christmas-heist-analysis-of-trust-wallet-browser-extension-hack-bdb35c3cc6dd"},{"date":"2025-12-09","event":"Microsoft Security Blog publishes formal Shai-Hulud 2.0 detection, investigation, and defense guidance.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/"},{"date":"2025-12-24","event":"Malicious Trust Wallet Chrome extension v2.68 published at 12:32 PM UTC using stolen Chrome Web Store API key; active wallet mnemonic harvesting begins.","source":"Trust Wallet official incident update","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"date":"2025-12-25","event":"Security researchers publicly report wallet drains; Trust Wallet acknowledges incident.","source":"The Hacker News","source_url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html"},{"date":"2025-12-26","event":"Malicious Trust Wallet extension exfiltration window closes at 11:00 UTC; Trust Wallet releases clean version 2.69; reimbursement process initiated. Final loss: approximately $8.5 million across 2,520 wallets.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2025/12/26/trust-wallet-users-lose-more-than-usd7-million-to-hacked-chrome-extension"},{"date":"2025-12-28","event":"Shai-Hulud 3.0 'The Golden Path' variant discovered by researcher Charlie Eriksen propagating via @vietmoney/react-big-calendar@0.26.2; dead-man's switch removed from this variant.","source":"Snyk","source_url":"https://snyk.io/blog/shai-hulud-3-0/"},{"date":"2026-04-22","event":"Bitwarden CLI @bitwarden/cli@2026.4.0 compromised for approximately 93 minutes via backdoored Checkmarx GitHub Actions workflow; 334 developer downloads of the malicious version; payload embedded string 'Shai-Hulud: The Third Coming'.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html"},{"date":"2026-04-29","event":"Mini Shai-Hulud targets SAP CAP ecosystem: @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt packages compromised (~570,000 combined weekly downloads).","source":"Dark Reading","source_url":"https://www.darkreading.com/cloud-security/teampcp-sap-packages-mini-shai-hulud"},{"date":"2026-05-11","event":"Mini Shai-Hulud Wave 2 begins at 19:20 UTC: 84 malicious @tanstack package versions published in 6 minutes via GitHub Actions pwn request and OIDC token extraction; worm propagates to 172 unique packages / 403 malicious versions across npm and PyPI within 48 hours. CVE-2026-45321 (CVSS 9.6) assigned.","source":"StepSecurity","source_url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"date":"2026-05-12","event":"TeamPCP publishes Shai-Hulud worm source code to GitHub under MIT License: 'Open Sourcing The Carnage.' Copycat forks and clone packages begin appearing within hours.","source":"The Register","source_url":"https://www.theregister.com/security/2026/05/13/malware-crew-teampcp-open-sources-its-shai-hulud-worm-on-github/5239319"},{"date":"2026-05-19","event":"Mini Shai-Hulud Wave 3: Compromised @antv maintainer account used to publish 639 malicious versions across 323 packages in ~22 minutes (~16 million weekly downloads); largest single-hour package count of any documented Shai-Hulud wave.","source":"Snyk / Wiz","source_url":"https://snyk.io/blog/mini-shai-hulud-antv-npm-supply-chain-attack/"},{"date":"2026-06-01","event":"At least 32 packages in the @redhat-cloud-services npm namespace reported compromised via a backdoored GitHub Actions workflow distributing Miasma, assessed as a Shai-Hulud derivative by Unit 42.","source":"Unit 42 / SANS ISC","source_url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 789dfe4c-3aff-46bf-886d-ade117e14c7b
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.