TeamPCP / Mini Shai-Hulud (ShinyHunters / WorldLeaks adjacent) — wave 4 + framework leak + IDE persistence

Full coverage in § 2 (multi-day chain). Status-update register: long-running operator-family pattern continues; wave 4 (170+ packages / 400+ versions per daily-brief tracking) is the largest documented npm-supply-chain wave to date; the leaked framework source materially changes both attacker and defender posture and elevates the risk of secondary operators applying the same techniques against PyPI / Cargo / Maven Central in 2026-W21. The ShinyHunters / WorldLeaks family logged in W19's long-running record (item:shinyhunters-worldleaks-family) overlaps in operator targeting (AI-tooling SaaS, multi-tenant credential aggregation) with TeamPCP's npm-side ecosystem — the two clusters appear to be operating in parallel across the SaaS and registry attack surfaces with no public attribution merging them.