Border Cyber Group | June 12, 2026
The Gift
On the evening of May 12, 2026, a GitHub repository appeared under several compromised user accounts bearing a simple README: "Shai-Hulud: Open Sourcing The Carnage. Love — TeamPCP." The accompanying instructions were practical rather than theatrical: change the encryption keys, swap the C2 infrastructure, and deploy. The source code, a production-grade TypeScript/Bun framework for CI/CD credential harvesting, supply chain poisoning, and multi-channel encrypted exfiltration, mapped directly to compiled artifacts that had been tearing through npm and PyPI for the better part of eight months.
GitHub pulled the repositories within hours. It didn't matter. The code had already been forked dozens of times. VX Underground mirrored it. BreachForums hosted its own copy. The MIT license — applied with deliberate irony — ensured that anyone who grabbed a copy was, technically, permitted to use it.
The same day, TeamPCP and BreachForums co-announced a competition: $1,000 in Monero to whoever could execute the largest supply chain attack using the code, scored by weekly and monthly download counts of compromised packages. The prize was trivially small relative to the value of the access it incentivized. That was the point.
This essay is about what happens next — and about why the open-sourcing of Shai-Hulud is not merely a tactical escalation but a deliberate strategic move that attacks the defender's most reliable tool: the ability to attribute.
_______________________
Background: Eight Months of Controlled Escalation
To understand the open-source release, you have to understand the campaign it capped.
TeamPCP — tracked by Google's Threat Intelligence Group as UNC6780, and known by additional aliases including DeadCatx3, PCPcat, ShellForce, and CipherForce across Snyk and Palo Alto Networks Unit 42 reporting — emerged in the threat landscape in late 2025 as a financially motivated group specializing in developer infrastructure compromise. Their defining operational insight was simple and devastating: developer trust infrastructure — package registries, CI/CD pipelines, extension marketplaces, code-signing systems — is the softest target in the software supply chain. Not because it lacks security controls, but because it has been systematically trained to be trusted.
The Shai-Hulud campaign ran in at least five distinct waves between September 2025 and May 2026. The trajectory is worth tracing because the technical escalation across waves is inseparable from the strategic logic of the open-source release.
The first two waves, September and November 2025, relied on AiTM phishing targeting npmjs.help to harvest maintainer credentials, then used those credentials to republish poisoned versions of every package the victim could publish. The propagation model was credential-theft-as-force-multiplier: one stolen token cascades into every package that token can write. Persistence mechanisms were absent in Wave 1; a preinstall hook was the execution trigger in Wave 2.
By March 2026, the campaign had pivoted to something more structurally interesting. The Miasma wave — later confirmed as separate actor activity using the open-sourced toolkit, though operating with materially identical tradecraft — marked the campaign's first successful expansion into PyPI via GitHub Actions cache poisoning of the Trivy vulnerability scanner's build pipeline. A .pth file injected into Python's site-packages directory meant that every Python interpreter invocation on an affected system executed the payload unconditionally. No user interaction. No install-time hook. Every pytest, every python manage.py runserver, every automated test run was a trigger.
The May 2026 TanStack/Mini Shai-Hulud wave was the campaign's technical apex and its most consequential achievement. On May 11, over 400 malicious versions were published across 172 distinct packages in under six hours. The total potential exposure across the full campaign reached approximately 518 million weekly downloads, per Falcon Feeds analysis. Confirmed victims at the organizational level included GitHub (approximately 3,800 internal repositories exfiltrated in an 18-minute VS Code Marketplace extension window), OpenAI, Mistral AI — where TeamPCP attempted to sell alleged internal repository data for $25,000 on dark web forums — TanStack, and dozens of others.
But the technical detail that matters most for this analysis is not the scale. It is the SLSA provenance bypass.
_______________________
The Provenance Problem
The security industry spent years building Sigstore, SLSA, and supply chain attestation frameworks on a single foundational assumption: if you can cryptographically verify that a package was built by a specific pipeline from a specific source commit, you have meaningful assurance of its integrity. The assumption is not unreasonable. It closes a real gap.
Shai-Hulud defeated it not by breaking the cryptography but by controlling the pipeline.
The Mini Shai-Hulud TanStack wave produced the first documented npm worm to carry valid SLSA Build Level 3 provenance attestations from Sigstore. The mechanism, documented in detail by Datadog Security Labs' static analysis of the open-sourced framework, was OIDC token extraction directly from GitHub Actions runner process memory. The malware read /proc/{pid}/maps and /proc/{pid}/mem to dump runner memory, then used grep -aoE to extract GitHub Actions internal secret structures — including the OIDC token — before GitHub's secret masking layer could operate. With a valid OIDC token scoped to npm:registry.npmjs.org, the framework requested a Fulcio signing certificate, signed a DSSE envelope with an ephemeral ECDSA key, recorded the result in Rekor's transparency log, and attached the complete provenance bundle to the poisoned package publication.
The provenance was real. The Fulcio certificate chain was valid. The Rekor entry was genuine. Every automated supply chain verification tool that checked the package would see legitimate build attestation — because the attestation correctly described a build that the attacker controlled.
As Snyk's analysis noted: "A valid Sigstore attestation confirms which pipeline produced a package, not whether that pipeline was compromised." This is the precise and devastatingly accurate formulation of the gap. SLSA provenance proves process integrity under the assumption that the process itself has not been compromised. The moment the CI runner is inside the adversary's reach, that assumption collapses. The attestation becomes evidence of the attacker's control, faithfully timestamped and logged in a transparency ledger.
The security community's response to this finding has been, in the main, technically accurate but strategically inadequate. Auditing pipeline configurations, restricting OIDC token scopes, and implementing workflow pinning are all correct mitigations. None of them address the underlying problem: provenance frameworks were not designed to survive an attacker who already has runner-level access. They were designed to detect external package tampering. Once the attacker is inside, the framework helpfully signs their work.
_______________________
May 12: The Strategic Logic of Open-Sourcing a Weapon
TeamPCP did not open-source Shai-Hulud because they had finished with it or because they were feeling generous. The decision was strategic, and the strategy operates on at least three levels simultaneously.
First: deniability generation. The most immediate operational benefit of releasing the source code was the creation of a permanent attribution ambiguity layer. Before May 12, every Shai-Hulud-family artifact in the wild could be attributed to TeamPCP with reasonable confidence. After May 12, that is no longer true. The chalk-tempalte copycat packages identified by OX Security within days of the release were, as OX noted, "almost exact copies of the leaked source code, with no obfuscation techniques" — but they were operated by a different actor with different C2 infrastructure and different collection targets. The tradecraft overlap is total. The actor is different. Future attribution must now rely on infrastructure-level clustering and behavioral analysis rather than tooling signatures, because the tooling is, by definition, shared.
This is not incidental. It is the mechanism. By ensuring that any future Shai-Hulud-family campaign will be impossible to attribute based on the toolkit alone, TeamPCP created permanent cover for their own continued operations. The security community's standard attribution toolchain — malware family identification, TTP mapping, infrastructure tracking — all remain functional. But they no longer point at TeamPCP specifically. They point at "Shai-Hulud operators," a category that now includes an unknowable number of actors of varying sophistication.
Second: capability proliferation as strategic noise. The BreachForums competition scoring model — points awarded based on weekly and monthly download counts of compromised packages — was explicitly designed to incentivize volume over precision. A sophisticated actor running a targeted campaign does not want maximum download counts. They want specific access. The competition attracted participants who wanted maximum download counts, regardless of what they were accessing. The result is a wave of high-volume, low-sophistication copycat attacks that serve TeamPCP's interests in two distinct ways: they generate security community attention and resource expenditure on campaigns that are not TeamPCP, and they normalize the ambient level of supply chain compromise in npm and PyPI to a degree that makes any individual campaign harder to triage as exceptional.
When every week brings a new batch of Shai-Hulud-family packages, the signal-to-noise ratio collapses. The Miasma wave against @redhat-cloud-services and subsequent Hades variants against PyPI both emerged in this environment. Zscaler's Zscaler ThreatLabz analysis of campaign evolution noted the addition of dedicated GCP and Azure credential collectors in Miasma — a technical capability expansion that represents genuine operational development, not copycat behavior. Whether Miasma represents TeamPCP operating under a new name, a sophisticated copycat who extended the toolkit, or a third actor remains, by design, unresolved.
Third: the access broker pipeline. The BreachForums contest was not primarily a talent-recruitment exercise. It was a credential-harvesting operation with a distributed workforce. Every participant who successfully compromised a package and submitted proof of access also, knowingly or not, demonstrated the viability of a supply chain attack chain that TeamPCP had already established relationships to monetize. Unit 42 documented TeamPCP's confirmed partnership with the Vect ransomware-as-a-service operation; SC Media reported Vect extorting victims sourced via TeamPCP credential theft as of April 15, 2026. ShinyHunters and LAPSUS$ overlaps have also been documented, though the current status of those relationships has not been independently confirmed.
The contest participants were, in effect, unpaid initial access brokers competing for a $1,000 prize on behalf of an operation with significantly larger downstream monetization capability. The $1,000 Monero prize was not the revenue model. The credential pipeline was the revenue model.
_______________________
Attribution After the Flood
The question the security community now faces is not whether Shai-Hulud can be attributed to TeamPCP. It can — for the original waves. The question is what attribution means when the tooling has been deliberately liberated into the commons.
Consider the analytical position a threat intelligence team occupies today when they observe a new supply chain campaign using Shai-Hulud-family tooling. The OIDC token extraction technique is documented. The dead-man's switch mechanism — the gh-token-monitor daemon that triggers rm -rf ~/ on credential revocation, spelled out in the commit message as IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner — is documented. The exfiltration hierarchy (HTTPS to C2, GitHub dead-drop repositories with Dune-themed names, DNS tunneling as fallback) is documented. The Russian locale check, a CIS geographic killswitch present in the original framework, is documented.
None of these indicators reliably distinguish TeamPCP from a copycat. A copycat who changes the C2, rotates the RSA exfiltration key (trivially, since the key infrastructure is in the source), and adjusts the collection targets is operationally distinct from TeamPCP but forensically identical. The geographic killswitch is particularly notable: its presence in a copycat campaign might be cargo-culted tradecraft from the original source code rather than an actual indicator of CIS-adjacent operator geography.
The practical consequence is that the standard threat intelligence workflow — observe indicators, match to known malware family, attribute to known actor cluster, assess motivation and targeting — breaks at the attribution step. The malware family is known. The actor cluster is not. Analysts are left with infrastructure-level analysis as the only reliable differentiator: C2 domain registration patterns, hosting provider selection, certificate reuse, exfiltration endpoint fingerprinting. These are more resource-intensive, require access to data that many organizations do not have, and produce conclusions with lower confidence than tooling-based attribution.
This is, analytically, exactly what TeamPCP designed. The open-source release was not a gift to the community. It was a gift to TeamPCP's operational security posture.
_______________________
What Defenders Actually Control
The attribution problem is real and the deniability generation is deliberate. Neither of those facts is actionable for a security team trying to protect a development environment on Monday morning. The analytical insight is worth stating clearly before turning to the operational consequence: the Shai-Hulud open-source release represents a permanent structural shift in the supply chain threat landscape, not a temporary escalation. The tooling is out. The techniques are documented. The SLSA bypass is reproducible. Attribution to TeamPCP specifically is a diminishing analytical return. Stopping the next wave of whatever-comes-after-Hades is the more tractable problem.
What defenders actually control is the attack surface that makes the campaign possible.
The Shai-Hulud framework does not exploit software vulnerabilities in the traditional sense. There are no CVEs for the core campaign mechanics. What it exploits is a set of trust relationships that the software development ecosystem has built over decades and has not yet learned to treat as attack surface: the assumption that a CI runner's environment variables are secret, the assumption that OIDC token scopes are correctly restricted, the assumption that a package carrying valid provenance was built by a pipeline that was not itself compromised, and the assumption that a maintainer account whose credentials were stolen last week is still a maintainer account rather than an access vector.
GitHub's immediate response to the Mini Shai-Hulud TanStack wave — invalidating 61,274 npm granular access tokens with write permissions and 2FA bypass — is the correct emergency response. It is not a sustainable security model. The tokens were invalidated after the campaign had already run. The provenance attestations were already in the Rekor transparency log. The downstream packages had already propagated.
The Snyk analysis of the Claude Code SessionStart hook persistence mechanism — first introduced in Wave 3 and designed to execute the payload whenever Claude Code initializes in a poisoned repository — is a useful illustration of where the attack surface is expanding. IDE and AI coding assistant integration hooks are new and poorly audited attack surface. They execute with developer-level permissions. They fire on actions that developers take routinely and do not think of as security-relevant. They are not covered by most organizations' endpoint security posture assessments, because they did not exist as a meaningful attack surface two years ago.
The Miasma addition of dedicated GCP and Azure cloud credential collectors alongside the original AWS harvesting is a different kind of surface expansion: not new attack vectors, but broader coverage of existing ones, reflecting an accurate assessment of multi-cloud enterprise reality. Every Shai-Hulud-family campaign from this point forward should be assumed to harvest credentials for all major cloud providers, not just AWS and GitHub.
The dead-man's switch mechanism deserves separate treatment because it directly targets the incident response workflow in a way that most malware does not. The gh-token-monitor daemon installs as a LaunchAgent on macOS (~/Library/LaunchAgents/com.user.gh-token-monitor.plist) and a systemd user service on Linux, polling api.github.com/user once per minute. If the token is revoked — the standard first action in any credential compromise response — the daemon executes the handler, defaulting to rm -rf ~/. The commit message makes the threat explicit: IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.
This is not primarily a destructive capability. It is a coercion mechanism designed to slow incident response by creating a credible threat of data loss if the standard response playbook is followed. An organization that discovers a compromised GitHub token and revokes it immediately — correct procedure in any other context — may trigger workstation destruction on a developer machine that hasn't yet been isolated. The correct response, isolating the affected system before revoking credentials, is the opposite of the instinctive one, and it requires that responders know about the mechanism before they encounter it. The public documentation of this behavior is one of the more operationally useful outputs of the Datadog static analysis: organizations can now build the isolation-before-revocation step into their supply chain incident response playbooks explicitly.
Two additional organizational controls deserve attention that they have not consistently received in post-Shai-Hulud coverage. First, restricting id-token: write permissions to only the specific workflow steps that require OIDC token exchange — rather than granting them at the job level — substantially reduces the memory extraction surface. The Shai-Hulud OIDC attack requires a valid OIDC token scoped for npm publishing to be present in runner process memory at the time of infection. Scope restriction does not eliminate the risk, but it narrows the window considerably. Second, npm publish token invalidation at the repository level — which GitHub executed for 61,274 tokens after the TanStack wave — is a reactive control that could be applied proactively for any token that has not been used for a defined period. The supply chain attack economics depend on large numbers of dormant maintainer tokens remaining valid indefinitely. Routine token rotation, inconvenient as it is for open-source maintainers who publish infrequently, degrades the value of the credential pipeline that the entire Shai-Hulud business model rests on.
_______________________
The Strategic Picture
Pull back from the technical specifics and the pattern is structurally familiar from a different domain: the proliferation of offensive cyber capabilities that were originally state-controlled and eventually became available to a broader pool of actors. The analogy is not perfect — TeamPCP is not a nation-state, and Shai-Hulud is not a nation-state-grade capability — but the mechanism is identical. A sophisticated actor develops a capability, operates it privately for operational gain, then makes a strategic decision to release it into the commons. The release serves the originating actor's interests while permanently altering the threat landscape for everyone downstream.
The Coruna mobile exploit kit precedent, documented in the DarkSword iOS campaign context, shows this pattern operating in the mobile exploitation space on a faster timeline than previously observed. The Shai-Hulud case shows it operating in the supply chain space with a deliberate contest mechanism to accelerate copycat adoption.
The question worth sitting with is: what happens when the next generation of supply chain tooling gets released? The Shai-Hulud framework is sophisticated but not uniquely so. The OIDC memory extraction technique is documented. The SLSA provenance bypass is documented. The dead-man's switch deterrence mechanism is documented. A better-resourced actor — or a nation-state with a supply chain mandate — could build a more capable framework on these foundations. If that framework were then open-sourced, with similar contest incentives and a similar attribution-fragmentation effect, the resulting wave of copycat activity would be substantially more damaging than what the security community is currently managing with Miasma and Hades.
The Vect ransomware partnership is the most underreported element of the TeamPCP story. SC Media documented Vect extorting victims whose credentials were sourced via TeamPCP supply chain compromise. Unit 42 confirmed the partnership. What has not been established publicly is the current operational status of that pipeline, or whether similar arrangements have been established with other RaaS operators. The credential-theft-to-ransomware pipeline is well-documented in other contexts — notably in the Scattered Spider and BlackCat affiliate operations — but the supply chain as an initial access vector for ransomware deployment has historically been less common than direct exploitation or phishing. The TeamPCP/Vect arrangement suggests that is changing.
_______________________
Assessment
The open-sourcing of Shai-Hulud is best understood as a deliberate act of attribution warfare rather than a conventional escalation. TeamPCP did not release the code because they were done with it; the post-release Miasma and Hades waves — whatever their precise attribution — demonstrate that the campaign continues to evolve. They released it because a public codebase serves their operational security interests more than a private one does, and because the BreachForums contest generated a distributed initial access operation that costs them $1,000 while producing credential pipeline value that significantly exceeds that figure.
The analytical inference from the public record — confidence: medium-high — is that TeamPCP's primary operational interest is now the credential pipeline feeding the Vect RaaS relationship and the access broker market, rather than direct monetization through ransomware deployment. The open-source release is consistent with a group that has solved the upstream problem (credential acquisition at scale) and is optimizing for the downstream problem (monetization infrastructure and deniability). The contest participants are a distributed acquisition workforce. The copycat campaigns are a deniability layer. The Vect partnership is the monetization exit.
What this means for the supply chain security field is harder to state without overclaiming. SLSA provenance attestation is not broken — it continues to provide meaningful protection against a range of supply chain attacks. But the Shai-Hulud campaign has demonstrated, with reproducible public documentation, the precise conditions under which it fails. Those conditions — a compromised CI runner with OIDC token write access — are not exotic. They are the normal state of a GitHub Actions pipeline that has not been specifically hardened against this attack class.
The field is not behind. But it is behind on this specific attack surface, and the open-sourcing of the toolkit means that the window for getting ahead of it is narrower than it was two weeks ago.
_______________________
Sources: Datadog Security Labs, May 13, 2026 (static analysis of open-sourced framework); Security Boulevard / Tenable FAQ, May 2026; Akamai Security Research, May 2026; Unit 42 / Palo Alto Networks, npm threat landscape (updated June 2, 2026); Socket Research, BreachForums contest analysis, May 2026; SecurityWeek, May 15, 2026; OX Security, copycat analysis, May 2026; Snyk, AntV wave analysis, May 2026; Microsoft Security Blog, May 20, 2026; GitHub Security Blog, May 2026; Protos Labs deep-dive, June 2026; Zscaler ThreatLabz, Shai-Hulud campaign evolution, June 12, 2026; SC Media, May 2026; Falcon Feeds, campaign analysis, May 2026; Cloudsmith, Miasma analysis, June 2026; Socket, PyPI Hades wave, June 2026.
— Jonathan Brown, Border Cyber Group | bordercybergroup.com Support independent security journalism
Easy way to support our work... Subscribe (free or paid), or buy us a coffee! https://bordercybergroup.com/#/portal/support
Member discussion: