🤚 The Open-Palm Dissection

If you thought the software supply chain had reached peak absurdity when a fake OpenAI privacy filter hit 244,000 downloads on Hugging Face, allow us to introduce you to its sophisticated older sibling — the one that went to finishing school and came back with cryptographic attestations.

A threat group calling itself TeamPCP has executed what security researchers are calling the Shai Hulud campaign — a multi-stage supply chain attack that compromised hundreds of packages across npm and PyPI, including signed versions of popular libraries from TanStack, Mistral AI, Guardrails AI, UiPath, OpenSearch, and even Bitwarden CLI. The scale varies depending on which security vendor you ask: Endor Labs counted over 160 compromised npm packages, Aikido found 373 malicious package-version entries, and Socket identified 416 compromised artifacts. The disagreement on the count is, itself, a symptom of the problem.

The attack chain exploited three vulnerabilities in sequence: risky pull_request_target GitHub Actions workflows, GitHub Actions cache poisoning, and OIDC token theft from runner memory. The result? 84 malicious versions across 42 TanStack packages published with valid provenance, valid Sigstore attestations, and legitimate GitHub Actions signatures. Every verification mechanism said “this is fine.” It was not fine.

👐 The Two-Handed Credential Harvest

The credential exfiltration menu reads like a DevOps engineer’s nightmare buffet:

• GitHub Actions OIDC tokens and PATs
• Git credentials and npm publish tokens
• AWS credentials (Secrets Manager, IAM, ECS task)
• Kubernetes service account tokens
• HashiCorp Vault tokens
• SSH keys
• Claude Code configs
• VS Code tasks
• Every .env file your developer swore they’d never commit but left lying around anyway

The distribution mechanism was genuinely clever — and by “clever” we mean “the kind of thing that makes you stare at a wall for twenty minutes.” The attackers used orphaned Git commits pushed to repository forks, exploiting GitHub’s shared object storage. The malicious code was then referenced via optional dependencies, meaning it executed automatically during installation. You didn’t even need to use the package. You just needed to install it. Which you did, because your CI pipeline runs npm install every fourteen seconds.

But here’s where it gets truly personal: once the malware lands, it writes itself into Claude Code hooks and VS Code auto-run tasks. Uninstalling the malicious packages does not remove it. Your IDE and your AI coding assistant have been colonized. Every subsequent conversation with your AI pair programmer is now a conversation with TeamPCP’s exfiltration infrastructure.

🌿 The Gentle Awakening

The command-and-control infrastructure used Session’s P2P network, making traffic look like encrypted messenger communication. The C&C endpoints included api.masscan.cloud, git-tanstack.com, and various Session relay nodes. Your network monitoring team saw “encrypted messaging traffic” and thought, ah yes, developers being developers.

Microsoft Threat Intelligence then discovered a payload called transformers.pyz inside Mistral AI packages. This payload included geofencing logic that skipped Russian-language systems — because even supply chain attackers have a home audience — and contained a probabilistic sabotage mechanism with a 1-in-6 chance of running a recursive wipe command on hosts matching Israel/Iran timezones. It’s Russian roulette, except the revolver is your production server and the bullet is rm -rf /.

Security researchers from StepSecurity, Endor Labs, Aikido, Socket, SafeDep, Microsoft, Snyk, and Wiz all independently reported findings. When eight security vendors simultaneously publish advisories about the same campaign, you are not looking at a supply chain incident. You are looking at a supply chain event.

👑 The Gold-Leaf Reckoning

The self-propagation mechanism deserves its own paragraph of quiet horror. The malware uses stolen credentials to enumerate a maintainer’s other packages, modify their tarballs with malicious payloads, and republish the infected versions automatically. The worm doesn’t just steal your keys — it uses them to become you and infects every package you’ve ever published. Your open-source contributions are now malware distribution vectors, and your GitHub profile is a threat actor’s resume.

This is the third documented wave of the Shai Hulud campaign since it first emerged in September 2025. Each iteration has been more sophisticated than the last. The first wave was clumsy. The second was competent. This one had valid cryptographic signatures, self-propagation, geofenced wipers, and persistence mechanisms that survive package removal. The learning curve here is not encouraging.

The fundamental problem remains unchanged: the entire modern software ecosystem is built on a trust chain that starts with “a stranger on the internet published a package and the signatures checked out.” We have spent billions on verification infrastructure, and TeamPCP just demonstrated that valid signatures, valid attestations, and legitimate provenance can all be present on a package that will rm -rf your server with a probability of one in six.

The name “Shai Hulud” comes from Frank Herbert’s Dune — the giant sandworm that moves beneath the surface, consuming everything in its path. The metaphor is, unfortunately, excellent.

“The package had valid Sigstore attestations, legitimate provenance, and a one-in-six chance of formatting your hard drive. We have achieved cryptographically verified malware, and honestly, it feels like a milestone.” — The Slap of Wisdom Supply Chain Forensics Unit, currently auditing their own node_modules folder with a Geiger counter and a prayer