TeamPCP / Mini Shai-Hulud npm supply-chain worm — wave 4 + framework source leak

The TeamPCP / Mini Shai-Hulud story spans every working day of 2026-W20 and the daily briefs add a piece each day. Tuesday 2026-05-12: an attacker briefly published what appears to be the complete Shai-Hulud framework source (TypeScript / Bun) to a public GitHub repository attributed to TeamPCP, taken down within hours but mirrored widely; the public source disclosure inverts the threat model — every IDE, EDR, and PR-review vendor now has access to the same artefact the operator was using but defenders must assume new variants will appear with one to two days' lead-time on signatures (Datadog Security Labs static analysis, 2026-05-13; daily 2026-05-15 UPDATE). Wednesday 2026-05-13: Wave 4 hits — 170+ packages / 400+ malicious versions compromised per daily-brief tracking across @tanstack (including react-router, ~12M weekly downloads), @uipath, @mistralai, @opensearch-project, and @guardrails-ai; the Wiz writeup confirms the same TeamPCP / UNC6780 / PCPJack attribution as prior waves (Wiz Blog, 2026-05-11; daily 2026-05-13 UPDATE). Friday 2026-05-15: OpenAI named as a victim; the company enforces code-signing certificate rotation across all macOS apps as remediation (daily 2026-05-15 UPDATE).

What W1 horizon research surfaced that the dailies could not yet see: Datadog's static analysis of the leaked source reveals two new capability classes that change the defender posture. First, IDE persistence via hook entries in .claude/settings.json (Claude Code) and .vscode/tasks.json — allowing arbitrary command execution on developer-workspace events; this is not a build-time supply-chain primitive but a developer-workstation persistence mechanism that survives npm install cleanup and outlives the malicious-package removal. Second, OIDC token extraction directly from /proc/<pid>/mem on GitHub Actions runners, used to forge Sigstore provenance attestations — meaning malicious packages can be published that are indistinguishable from legitimate ones by provenance verification alone. The W19 weekly already flagged ShinyHunters / WorldLeaks as a long-running operator-family pattern; the TeamPCP / Mini Shai-Hulud progression confirms a parallel ecosystem maturing on the npm registry side, now with publication-provenance forgery in the toolset. The leaked framework source materially elevates the risk of secondary operators applying Shai-Hulud-style techniques against other package registries (PyPI, Cargo, Maven Central) in 2026-W21 (Datadog Security Labs).

The defender pivot is two-fold: (1) for DevOps pipelines, provenance verification is necessary but no longer sufficient — supplement with publisher-pinning, two-factor publish enforcement, and post-install hash-pinning; (2) for developer workstations, treat .claude/settings.json / .vscode/tasks.json / equivalent IDE hook files as security-relevant configuration and add them to file-integrity-monitoring scope. The Datadog filesystem indicators (gh-token-monitor daemon process, claude@users.noreply.github.com commits in unexpected repositories, exfil-repo names matching "Shai-Hulud: Here We Go Again") are the right hunt seeds.