Verify a decision

{"actor":"system:backfill","investigation_id":"ed8f7bf4-9662-499a-862a-48e58055ea60","kind":"publish","page_slug":"teampcp-mini-shai-hulud-npm-supply-chain-worm","published_at":"2026-06-24T12:35:10.025Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"TeamPCP / Mini Shai-Hulud npm Supply Chain Worm","sections":[{"content":"TeamPCP is a threat actor group that operates in the software supply chain attack space, primarily targeting the npm and PyPI ecosystems. The group is responsible for the 'Mini Shai-Hulud' worm campaign — named after the sandworm creature in Frank Herbert's Dune universe — a pattern reflected throughout their infrastructure in branch names (fremen, melange, sandworm) and repository markers. The group has demonstrated advanced operational security and technical capability, including the ability to bypass SLSA Build Level 3 provenance attestations — a significant advancement in supply chain attack sophistication. On May 12, 2026, TeamPCP open-sourced the Mini Shai-Hulud worm under an MIT license on GitHub alongside BreachForums posts encouraging independent campaigns, effectively democratizing the attack framework and enabling copycat variants including Miasma and Hades. The group's attribution identifier UNC6780 has been used in some security research contexts. The cumulative scale of their operations through June 2026 encompasses 600 malicious npm packages, 2,500+ compromised GitHub repositories, and confirmed active payload execution across multiple enterprise environments.","heading":"Threat Actor Overview","severity":"critical","sources":[{"credibility":2,"name":"TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack — Orca Security","type":"research","url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"credibility":2,"name":"TeamPCP / Mini Shai-Hulud npm Campaign: 600 Packages, Confirmed Active Payload — Phoenix Security","type":"research","url":"https://phoenix.security/teampcp-mini-shai-hulud-npm-atool-maintainer-compromise-2026/"},{"credibility":2,"name":"Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"}]},{"content":"The primary Mini Shai-Hulud deployment occurred on May 11, 2026. The attacker's GitHub account 'voicproducoes' (ID: 269549300, email: voicproducoes@gmail.com) was created on March 19, 2026, and used to establish a malicious fork of TanStack/router on May 10, 2026. The attack exploited three sequential GitHub Actions vulnerabilities: first, the attacker opened a pull request against TanStack/router that triggered the pull_request_target workflow; second, the attacker poisoned the GitHub Actions cache with malicious pnpm store binaries; third, when maintainers merged and triggered release workflows, the contaminated cache restored attacker-controlled binaries that extracted OIDC tokens directly from runner process memory via /proc/pid/mem. According to TanStack's own post-incident analysis, 'The attacker managed to engineer a path where our own CI pipeline stole its own publish token for them, at the exact moment it was created, by way of a cache that everyone in the chain implicitly trusted.' No maintainer credentials were directly compromised. The attack published 84 malicious versions across 42 @tanstack packages, collectively downloaded millions of times weekly. Within five hours, the self-propagating worm had published over 400 malicious versions across 172 distinct packages. Affected namespaces included @tanstack (83 entries), @uipath (66 entries), @squawk (87 entries), @mistralai, and PyPI packages guardrails-ai 0.10.1 and mistralai 2.4.6. The worm carried a 2.3 MB obfuscated payload inserted into tarballs outside the normal build process, resulting in compromised tarballs measuring approximately 900 KB versus 190 KB for clean versions. The campaign was rated 100/100 criticality by Aikido Security.","heading":"Initial TanStack Campaign (May 2026)","severity":"critical","sources":[{"credibility":2,"name":"Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Hits the npm Ecosystem — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"credibility":2,"name":"TanStack Supply Chain Attack Hits Two OpenAI Employee Devices — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html"},{"credibility":2,"name":"TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack — Orca Security","type":"research","url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"}]},{"content":"The Mini Shai-Hulud worm is defined by its autonomous self-propagation capability. Upon installation on a victim system, the malicious npm lifecycle hooks execute a multi-stage payload: the worm identifies all npm packages for which the victim holds publish rights by querying the npm registry, then exchanges stolen GitHub OIDC tokens for per-package publish credentials, and autonomously publishes infected versions of each identified package. This cascade mechanism converts each new victim into an unwitting amplifier of the attack. The provenance bypass is technically significant: compromised packages carry valid SLSA Build Level 3 provenance attestations generated via GitHub's OIDC token infrastructure, meaning standard supply chain verification checks pass on malicious packages. Security researchers at Orca Security noted that 'provenance alone is not a reliable safety signal for this attack,' and StepSecurity observed that 'valid SLSA provenance confirms which pipeline produced the artifact, not whether the pipeline was behaving as intended.' The worm includes a FIRESCALE fallback mechanism that searches GitHub commit messages for alternative C2 server URLs, verified against an embedded RSA key, providing resilience against infrastructure takedown.","heading":"Worm Propagation Mechanism","severity":"critical","sources":[{"credibility":2,"name":"TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack — Orca Security","type":"research","url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"credibility":2,"name":"Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Hits the npm Ecosystem — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"}]},{"content":"Two OpenAI corporate employee devices were confirmed compromised during the TanStack campaign, with attackers gaining unauthorized access and conducting credential-focused exfiltration activity against internal source code repositories. OpenAI stated that 'no user data, production systems, or intellectual property were compromised or modified,' and that only limited credential material was extracted. As a direct response, OpenAI revoked code-signing certificates for its iOS, macOS, and Windows products and issued new certificates. Affected applications requiring update before June 12, 2026 — the date old certificates were to be revoked — included ChatGPT Desktop, Codex App, Codex CLI, and Atlas. The certificate revocation represents a significant operational response affecting all end users of these consumer products. Separately, a GitHub employee installed a trojanized VS Code extension (Nx Console, a verified publisher extension with 2.2 million installs) on May 18, 2026; the malicious version was live for approximately 11 minutes, during which TeamPCP exfiltrated approximately 3,800 GitHub internal repositories.","heading":"OpenAI Compromise and Certificate Revocations","severity":"critical","sources":[{"credibility":1,"name":"Our Response to the TanStack npm Supply Chain Attack — OpenAI","type":"official","url":"https://openai.com/index/our-response-to-the-tanstack-npm-supply-chain-attack/"},{"credibility":2,"name":"TanStack Supply Chain Attack Hits Two OpenAI Employee Devices — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html"},{"credibility":2,"name":"GitHub Internal Repository Breach via Poisoned VS Code Extension (May 2026) — Phoenix Security","type":"research","url":"https://phoenix.security/vs-code-extension-malware-github-breach-teampcp-2026/"}]},{"content":"A core capability of the Mini Shai-Hulud payload is the targeting of cryptocurrency assets. The second-stage cross-platform RAT specifically targets 166 cryptocurrency-related browser extensions. Named targets identified in security research include MetaMask and Phantom wallet extensions. Beyond browser extensions, the malware also harvests local cryptocurrency wallet files across multiple asset classes: Solana, Ethereum, and Bitcoin wallet data, as well as files associated with the Exodus and Atomic Wallet applications. The malware additionally collects Monero wallet information, consistent with the threat actor's own stated preference for Monero-denominated ransom payments (TeamPCP announced a supply chain attack contest offering $1,000 in Monero for compromising open-source packages, and threatened to release 5 GB of Mistral AI source code unless paid $25,000 in Monero). This targeting profile makes any developer who installs a compromised package on a machine used for crypto activity a direct theft target, not merely a credential exfiltration target.","heading":"Cryptocurrency and Wallet Targeting","severity":"critical","sources":[{"credibility":2,"name":"TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack — Orca Security","type":"research","url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"credibility":2,"name":"TanStack Supply Chain Attack Hits Two OpenAI Employee Devices — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html"},{"credibility":2,"name":"North Korean Hackers Blamed for Mastra NPM Supply Chain Attack — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/north-korean-hackers-blamed-for-mastra-npm-supply-chain-attack/"}]},{"content":"The Mini Shai-Hulud payload employs a comprehensive credential harvesting strategy. A Python script reads GitHub Actions Runner.Worker process memory via /proc/*/mem to extract all secrets, including secrets masked in CI logs that are never written to disk. Over 100 hardcoded file paths are targeted, encompassing: cloud credentials (AWS, Azure, GCP, Kubernetes service account tokens, HashiCorp Vault tokens); development tool credentials (npm tokens, PyPI credentials, Docker credentials, Git configuration, SSH keys, GPG keys); AI tool configurations (Claude Code settings, Kiro configurations, LLM API keys); cryptocurrency wallets (Bitcoin, Ethereum, Solana, Monero, Exodus, Atomic Wallet); messaging applications; and VPN configurations. A persistent daemon named 'gh-token-monitor' is installed when a valid GitHub token with repository write access and organization membership is detected. This daemon persists via macOS LaunchAgent plist at ~/Library/LaunchAgents/com.user.gh-token-monitor.plist or Linux systemd user service at ~/.config/systemd/user/gh-token-monitor.service. It polls GitHub every 60 seconds for token status. Critically, upon token revocation the daemon executes 'rm -rf ~/' — wiping the entire user home directory. This DEADMAN_SWITCH mechanism requires that the persistence daemon be located and removed before any credential rotation occurs. Additional persistence mechanisms include Claude Code SessionStart hooks (injecting payload at .claude/router_runtime.js), VS Code task triggers on folder open (via .vscode/setup.mjs), and injected GitHub Actions workflows that exfiltrate secrets on subsequent CI runs. These payload files survive package uninstallation. Exfiltration uses three channels: the Session Protocol CDN (filev2.getsession.org) with RSA-4096-OAEP-wrapped AES-256-GCM encryption; GitHub GraphQL API dead-drops with commits authored as claude@users.noreply.github.com and Dune-themed branch names; and the typosquat domain git-tanstack.com.","heading":"Credential Harvesting and Persistence","severity":"critical","sources":[{"credibility":2,"name":"Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Hits the npm Ecosystem — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"credibility":2,"name":"TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack — Orca Security","type":"research","url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"credibility":2,"name":"CA-26-018: Miasma/Mini Shai-Hulud Compromise of Red Hat npm Packages — Deepwatch","type":"research","url":"https://www.deepwatch.com/labs/ca-26-018-miasma-mini-shai-hulud-compromise-of-red-hat-npm-packages/"}]},{"content":"Following TeamPCP's open-sourcing of Mini Shai-Hulud source code on May 12, 2026, a derivative campaign named Miasma emerged targeting Red Hat Cloud Services npm packages. On June 1, 2026, a compromised Red Hat employee GitHub account was used to inject malicious orphan commits into the RedHatInsights repositories, bypassing code review. Two attack waves occurred: the first at 10:53 UTC targeting frontend-components, javascript-clients, and platform-frontend-ai-toolkit repositories, and the second at 13:44-13:46 UTC. The attack exploited GitHub Actions trusted publishing — requesting short-lived OIDC tokens via id-token: write permissions — to publish 96 malicious versions across 32 packages in the @redhat-cloud-services namespace. These packages had a combined weekly download count of 116,991. Notable compromised packages included frontend-components (versions 7.7.2, 7.7.3, 7.7.5) and compliance-client (versions 4.0.3, 4.0.4, 4.0.6). The Miasma payload, at 4.2 MB, features four-layer obfuscation, Bun-as-runtime execution, and AES-GCM payload staging through /tmp. Uniquely, Miasma encrypts the payload uniquely per infection, defeating hash-based indicators of compromise. The variant replaced Mini Shai-Hulud's Dune universe references with Greek mythology references, and repository descriptions read 'Miasma: The Spreading Blight.' It also targets 13 AI coding tools for SessionStart hook injection, including Claude Code, GitHub Copilot, and Gemini CLI. Security researchers at Wiz, Aikido Security, and Upwind noted tradecraft parallels with TeamPCP's techniques but cautioned that the open-sourced code enabled copycat actors, making definitive attribution to TeamPCP directly uncertain for this variant.","heading":"Red Hat Miasma Variant (June 2026)","severity":"critical","sources":[{"credibility":2,"name":"Miasma Supply Chain Attack Compromises Red Hat npm Packages — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting Red Hat npm Packages — Wiz","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":2,"name":"Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm — Aikido Security","type":"research","url":"https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm"},{"credibility":2,"name":"Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week — The Register","type":"news_article","url":"https://www.theregister.com/security/2026/06/01/shai-hulud-malware-infects-red-hat-npm-packages-downloaded-80k-times-weekly/5249803"},{"credibility":2,"name":"Miasma NPM Supply Chain Attack: Red Hat Cloud Services npm Packages — Phoenix Security","type":"research","url":"https://phoenix.security/miasma-redhat-cloud-services-npm-supply-chain-shai-hulud-variant/"}]},{"content":"On June 17, 2026, 141 npm packages across the Mastra AI framework ecosystem were compromised in a 45-minute window. Mastra is an open-source TypeScript framework for building AI agents, workflows, and RAG pipelines, with approximately 8 million weekly downloads across the affected packages. The attack involved compromising the 'ehindero' npm maintainer account, which held publishing rights across the Mastra ecosystem. Attackers pre-positioned a typosquat package named easy-day-js — mimicking the legitimate dayjs date library — published under a separate account ('sergey2016') before the main attack. The easy-day-js dependency was then injected into 141 packages such that the latest version would install automatically. An obfuscated postinstall dropper fetched a second-stage payload from attacker servers, wrote it to the temp directory, executed it as a detached hidden background process, and deleted itself to hinder forensics. The payload targets Windows, macOS, and Linux systems and, consistent with the broader campaign, targets cryptocurrency browser extensions. Microsoft's Defender Security Research Team and Threat Intelligence formally attributed this attack to Sapphire Sleet, a North Korean state-sponsored APT also known as BlueNoroff, CageyChameleon, Copernicium, and Stardust Chollima. Microsoft's blog post was published June 17, 2026. Sapphire Sleet had previously been blamed for the Axios npm supply chain attack in April 2026. The relationship between Sapphire Sleet's Mastra campaign and TeamPCP's Mini Shai-Hulud worm has not been definitively established by public reporting; the Mastra attack may represent independent North Korean exploitation of the post-open-source Mini Shai-Hulud tooling, or a separate but temporally overlapping campaign.","heading":"Mastra AI Campaign and North Korean APT Attribution (June 2026)","severity":"critical","sources":[{"credibility":2,"name":"North Korean Hackers Blamed for Mastra NPM Supply Chain Attack — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/north-korean-hackers-blamed-for-mastra-npm-supply-chain-attack/"},{"credibility":1,"name":"From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/"},{"credibility":2,"name":"Microsoft links Mastra AI supply chain attack to North Korean hackers — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/"},{"credibility":2,"name":"Over 140 popular Mastra npm Packages Hit by Supply Chain Attack — Aikido Security","type":"research","url":"https://www.aikido.dev/blog/over-140-popular-mastra-npm-packages-hit-by-supply-chain-attack"},{"credibility":2,"name":"Microsoft Attributes Mastra AI Supply Chain Attack to North Korea — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/mastra-ai-supply-chain-attack/"}]},{"content":"Concurrent with the npm-focused Miasma campaign, a PyPI variant named Hades emerged, characterized by the string 'Hades – The End for the Damned.' The Hades variant uses *-setup.pth files to execute at Python startup and fetches the Bun JavaScript runtime to execute malicious code. An initial wave targeted 19 packages; a second wave on June 8, 2026 compromised at least 29 additional packages, targeting bioinformatics, graph machine learning, and Model Context Protocol (MCP)-themed packages. Cumulatively, by June 5, 2026, at least 57 npm packages and 300+ malicious versions had been identified under the Miasma/Hades umbrella campaigns. Total malicious artifacts across all ecosystems exceeded 471. The npm Threat Landscape analysis maintained by Palo Alto Networks Unit 42 has tracked this campaign as an ongoing, active threat as of June 2, 2026. A separate atool maintainer account compromise in May 2026 affected popular packages including AntV, jest-canvas-mock, and echarts-for-react, with 323 packages compromised through that vector and C2 infrastructure at t.m-kosche.com. The CSA Research Note on TeamPCP describes this as a 'Multi-Ecosystem Supply Chain Worm' spanning npm, PyPI, Docker Hub, and VS Code extension marketplaces.","heading":"Hades PyPI Variant and Extended Ecosystem Impact","severity":"high","sources":[{"credibility":2,"name":"Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"},{"credibility":2,"name":"The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) — Palo Alto Networks Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"},{"credibility":2,"name":"TeamPCP: Multi-Ecosystem Supply Chain Worm — CSA Research Note","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-teampcp-multi-ecosystem-supply-chain-20260/"},{"credibility":2,"name":"The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave — Wiz Blog","type":"research","url":"https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain"}]},{"content":"The following technical indicators have been published by security researchers for the Mini Shai-Hulud campaign and its variants. File hashes for the primary TanStack campaign: router_init.js SHA-256 ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c; tanstack_runner.js SHA-256 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96. Note that Miasma encrypts the payload uniquely per infection, defeating hash-based detection for that variant. C2 domains and infrastructure include: api.masscan.cloud, filev2.getsession.org, git-tanstack[.]com, seed1.getsession.org, and 83.142.209[.]194 (IP). Additional atool-wave C2: t.m-kosche.com. Campaign cryptographic markers: encryption key 0c0e873033875f1bc471eda37e3b9d0f9b89bd41a4bbb4f86746caa2176c40aa; PBKDF2 salt svksjrhjkcejg. A ransom threat string set as npm token description reads 'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.' Persistence artifacts that survive package uninstallation: .claude/router_runtime.js, .vscode/setup.mjs. LaunchAgent plist at ~/Library/LaunchAgents/com.user.gh-token-monitor.plist (macOS) and ~/.config/systemd/user/gh-token-monitor.service (Linux). Infected npm tarballs are identifiable by size (approximately 900 KB versus 190 KB for clean versions), the presence of root-level .js files outside standard distribution folders, and suspicious optionalDependencies entries pointing to attacker GitHub fork commits. Mastra-specific IoC: the typosquat package easy-day-js published by accounts 'sergey2016.'","heading":"Indicators of Compromise","severity":"high","sources":[{"credibility":2,"name":"Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Hits the npm Ecosystem — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"credibility":2,"name":"TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack — Orca Security","type":"research","url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting Red Hat npm Packages — Wiz","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":2,"name":"Sapphire Sleet Hijacks npm Maintainer Account to Publish Poisoned Mastra Packages — GBHackers","type":"news_article","url":"https://gbhackers.com/sapphire-sleet-hijacks-npm/"}]},{"content":"Security researchers have issued the following remediation guidance for developers potentially affected by Mini Shai-Hulud, Miasma, Hades, or related variants. The critical first step — before any credential rotation — is to locate and remove the gh-token-monitor persistence daemon; revoking GitHub tokens before removing this daemon triggers the DEADMAN_SWITCH wiper, which executes rm -rf ~/ and destroys the user's home directory. Persistence locations to check: ~/Library/LaunchAgents/com.user.gh-token-monitor.plist (macOS) and ~/.config/systemd/user/gh-token-monitor.service (Linux). After daemon removal, all credentials must be rotated: npm tokens, GitHub personal access tokens and OIDC configurations, AWS/GCP/Azure service account keys, Kubernetes service account tokens, CI/CD secrets, SSH keys, HashiCorp Vault tokens, and Docker credentials. All cryptocurrency wallet seeds, private keys, and browser extension access should be considered compromised if the infected package was installed on a machine with crypto assets. Developers should audit lockfiles and CI logs for affected package versions, inspect .claude/ and .vscode/ directories for payload artifacts, and block identified C2 infrastructure at DNS and proxy level. Any packages installed from affected namespaces prior to May 12, 2026 (TanStack), June 1, 2026 (Red Hat), or June 17, 2026 (Mastra) during the respective compromise windows should be treated as potentially infected. Upgrade to clean versions published after those dates and verify integrity using lockfile checksums.","heading":"Mitigation and Remediation","severity":"high","sources":[{"credibility":2,"name":"TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack — Orca Security","type":"research","url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"credibility":2,"name":"CA-26-018: Miasma/Mini Shai-Hulud Compromise of Red Hat npm Packages — Deepwatch","type":"research","url":"https://www.deepwatch.com/labs/ca-26-018-miasma-mini-shai-hulud-compromise-of-red-hat-npm-packages/"},{"credibility":2,"name":"Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm — Aikido Security","type":"research","url":"https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm"}]},{"content":"Security researchers at SecurityWeek note the Shai-Hulud worm has been active since September 2025, predating the high-visibility May 2026 TanStack campaign. Prior waves attributed to TeamPCP include SAP npm compromises in late April 2026 and a PyTorch Lightning compromise on April 30, 2026. A Trivy-to-Checkmarx-to-GitHub Actions vector was also documented by Phoenix Security. The public release of Mini Shai-Hulud source code on May 12, 2026 — alongside BreachForums posts encouraging third-party campaigns — fundamentally changed the threat landscape by enabling derivative variants. Security researchers have drawn a parallel to the 2016 Mirai botnet source code release, which similarly spawned a proliferation of derivative campaigns that outlasted and outnumbered the original actor's operations. TeamPCP has also operated in extortion mode: the group threatened to release 5 GB of Mistral AI source code unless paid $25,000 in Monero, and ran a $1,000 Monero bounty contest for compromising additional open-source packages. The group's use of Monero (a privacy coin) for all financial demands is consistent with threat actors seeking to avoid blockchain transaction traceability. The Palo Alto Networks Unit 42 npm Threat Landscape tracker continues to document ongoing campaign activity as of June 2026.","heading":"Broader Context and Prior Campaigns","severity":"high","sources":[{"credibility":2,"name":"Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"},{"credibility":2,"name":"TeamPCP Supply Chain Attack: Trivy to Checkmarx to npm (2026) — Phoenix Security","type":"research","url":"https://phoenix.security/teampcp-supply-chain-attack-trivy-checkmarx-github-actions-npm-canisterworm/"},{"credibility":2,"name":"The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) — Palo Alto Networks Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"},{"credibility":2,"name":"No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours — GitGuardian","type":"research","url":"https://blog.gitguardian.com/three-supply-chain-campaigns-hit-npm-pypi-and-docker-hub-in-48-hours/"}]}],"sources_used":[{"credibility":2,"name":"Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Hits the npm Ecosystem — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"credibility":2,"name":"TanStack Supply Chain Attack Hits Two OpenAI Employee Devices — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html"},{"credibility":2,"name":"North Korean Hackers Blamed for Mastra NPM Supply Chain Attack — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/north-korean-hackers-blamed-for-mastra-npm-supply-chain-attack/"},{"credibility":1,"name":"Our Response to the TanStack npm Supply Chain Attack — OpenAI","type":"official","url":"https://openai.com/index/our-response-to-the-tanstack-npm-supply-chain-attack/"},{"credibility":2,"name":"TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack — Orca Security","type":"research","url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"credibility":1,"name":"From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting Red Hat npm Packages — Wiz","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":2,"name":"Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm — Aikido Security","type":"research","url":"https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm"},{"credibility":2,"name":"Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week — The Register","type":"news_article","url":"https://www.theregister.com/security/2026/06/01/shai-hulud-malware-infects-red-hat-npm-packages-downloaded-80k-times-weekly/5249803"},{"credibility":2,"name":"Miasma Supply Chain Attack Compromises Red Hat npm Packages — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"credibility":2,"name":"Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"},{"credibility":2,"name":"TeamPCP / Mini Shai-Hulud npm Campaign: 600 Packages, Confirmed Active Payload — Phoenix Security","type":"research","url":"https://phoenix.security/teampcp-mini-shai-hulud-npm-atool-maintainer-compromise-2026/"},{"credibility":2,"name":"Miasma NPM Supply Chain Attack: Red Hat Cloud Services npm Packages — Phoenix Security","type":"research","url":"https://phoenix.security/miasma-redhat-cloud-services-npm-supply-chain-shai-hulud-variant/"},{"credibility":2,"name":"TeamPCP Supply Chain Attack: Trivy to Checkmarx to npm (2026) — Phoenix Security","type":"research","url":"https://phoenix.security/teampcp-supply-chain-attack-trivy-checkmarx-github-actions-npm-canisterworm/"},{"credibility":2,"name":"GitHub Internal Repository Breach via Poisoned VS Code Extension (May 2026) — Phoenix Security","type":"research","url":"https://phoenix.security/vs-code-extension-malware-github-breach-teampcp-2026/"},{"credibility":2,"name":"CA-26-018: Miasma/Mini Shai-Hulud Compromise of Red Hat npm Packages — Deepwatch","type":"research","url":"https://www.deepwatch.com/labs/ca-26-018-miasma-mini-shai-hulud-compromise-of-red-hat-npm-packages/"},{"credibility":2,"name":"The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) — Palo Alto Networks Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/"},{"credibility":2,"name":"The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave — Wiz Blog","type":"research","url":"https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain"},{"credibility":2,"name":"TeamPCP: Multi-Ecosystem Supply Chain Worm — CSA Research Note","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-teampcp-multi-ecosystem-supply-chain-20260/"},{"credibility":2,"name":"Microsoft links Mastra AI supply chain attack to North Korean hackers — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/"},{"credibility":2,"name":"Over 140 popular Mastra npm Packages Hit by Supply Chain Attack — Aikido Security","type":"research","url":"https://www.aikido.dev/blog/over-140-popular-mastra-npm-packages-hit-by-supply-chain-attack"},{"credibility":2,"name":"Miasma: A Worming npm Supply Chain Attack on Red Hat Cloud Services — Upwind","type":"research","url":"https://www.upwind.io/feed/miasma-npm-supply-chain-worm-redhat-credential-harvest"},{"credibility":2,"name":"No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours — GitGuardian","type":"research","url":"https://blog.gitguardian.com/three-supply-chain-campaigns-hit-npm-pypi-and-docker-hub-in-48-hours/"},{"credibility":2,"name":"Microsoft Attributes Mastra AI Supply Chain Attack to North Korea — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/mastra-ai-supply-chain-attack/"},{"credibility":2,"name":"Sapphire Sleet Hijacks npm Maintainer Account to Publish Poisoned Mastra Packages — GBHackers","type":"news_article","url":"https://gbhackers.com/sapphire-sleet-hijacks-npm/"}],"summary":"TeamPCP is a threat actor group responsible for the 'Mini Shai-Hulud' self-propagating npm supply chain worm, first deployed on May 11, 2026. The campaign compromised over 600 npm packages across major ecosystems including TanStack, Mistral AI, UiPath, Red Hat, and Mastra AI, reaching two OpenAI employee devices and exfiltrating approximately 3,800 GitHub internal repositories. The malware specifically targets 166 cryptocurrency-related browser extensions and local wallet files, creating direct financial risk for crypto developers and end users.","timeline":[{"date":"2025-09-01","event":"Shai-Hulud worm activity first observed; earliest attributable TeamPCP supply chain operations begin (approximate date).","source":"SecurityWeek","source_url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"},{"date":"2026-03-19","event":"TeamPCP attacker GitHub account 'voicproducoes' (ID: 269549300) created.","source":"StepSecurity","source_url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"date":"2026-04-22","event":"Earlier npm supply chain worm attack reported, attributed to TeamPCP activity.","source":"The Register","source_url":"https://www.theregister.com/2026/04/22/another_npm_supply_chain_attack/"},{"date":"2026-04-30","event":"PyTorch Lightning npm/PyPI compromise attributed to TeamPCP campaign.","source":"SecurityWeek","source_url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"},{"date":"2026-05-10","event":"Attacker establishes malicious fork of TanStack/router on GitHub.","source":"StepSecurity","source_url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"},{"date":"2026-05-11","event":"Mini Shai-Hulud worm deployed; 84 malicious versions published across 42 @tanstack packages. Within five hours, over 400 malicious versions across 172 packages published. Two OpenAI employee devices compromised.","source":"Orca Security / The Hacker News","source_url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"date":"2026-05-12","event":"TeamPCP publishes Mini Shai-Hulud full source code on GitHub under MIT license alongside BreachForums posts encouraging independent campaigns. 169 npm and 2 PyPI packages disclosed.","source":"Orca Security","source_url":"https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/"},{"date":"2026-05-18","event":"GitHub employee installs trojanized Nx Console VS Code extension (2.2 million installs, verified publisher); extension live for approximately 11 minutes before removal. TeamPCP exfiltrates approximately 3,800 GitHub internal repositories.","source":"Phoenix Security","source_url":"https://phoenix.security/vs-code-extension-malware-github-breach-teampcp-2026/"},{"date":"2026-05-19","event":"Atool maintainer account compromise published; 323 packages compromised including AntV, jest-canvas-mock, echarts-for-react.","source":"Phoenix Security","source_url":"https://phoenix.security/teampcp-mini-shai-hulud-npm-atool-maintainer-compromise-2026/"},{"date":"2026-06-01","event":"Miasma variant deployed against @redhat-cloud-services npm namespace. Compromised Red Hat employee GitHub account used to publish 96 malicious versions across 32 packages (116,991 combined weekly downloads). Two attack waves: 10:53 UTC and 13:44-13:46 UTC.","source":"Wiz / Aikido Security / The Register","source_url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"date":"2026-06-05","event":"At least 57 npm packages and 300+ malicious versions identified under Miasma/Hades umbrella; 471 total malicious artifacts across ecosystems documented.","source":"SecurityWeek","source_url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"},{"date":"2026-06-08","event":"Hades PyPI variant second wave: at least 29 additional PyPI packages compromised, targeting bioinformatics, graph ML, and MCP-themed packages.","source":"SecurityWeek","source_url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"},{"date":"2026-06-12","event":"OpenAI deadline for users to update ChatGPT Desktop, Codex App, Codex CLI, and Atlas to versions signed with new certificates; old code-signing certificates revoked.","source":"OpenAI","source_url":"https://openai.com/index/our-response-to-the-tanstack-npm-supply-chain-attack/"},{"date":"2026-06-17","event":"141 Mastra AI npm packages compromised in a 45-minute window by alleged North Korean APT Sapphire Sleet. Typosquat package easy-day-js injected into packages with ~8 million combined weekly downloads. Microsoft formally attributes attack to Sapphire Sleet (BlueNoroff).","source":"Microsoft Security Blog / SecurityWeek","source_url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/"}]},"v":1}