TeamPCP / Mini Shai-Hulud supply-chain worm — CI/CD credential theft running all week; GitHub itself among claimed victims

If you did nothing this week: any pipeline that resolved an affected npm / PyPI / Packagist dependency, installed a poisoned VS Code extension, or was one of the 5,561 GitHub repositories mass-backdoored by the Megalodon sub-campaign has most likely had its OIDC tokens, cloud credentials and CI secrets exfiltrated — and GitHub itself was named in a breach claim this week.

The campaign escalated every day of the window (full trajectory in § 2). The defender-relevant constant is the propagation primitive: OIDC-token reuse across the registry trust boundary, plus IDE-hook and CI-workflow injection that runs at build time inside an already-trusted runner. Unit 42 and StepSecurity confirmed on 2026-05-21 that SLSA Build Level 3 provenance attestation is no longer a reliable integrity gate for these waves — the malicious build step executes inside the legitimately-attested pipeline, so the attestation signs the compromised artefact. Hunt for unexpected npm publish / npm stage events, outbound connections from CI runners to non-registry hosts, and IDE-hook entries (.vscode/tasks.json, .claude/settings.json) committed in dependency updates. Rotate any CI token that was live during a dependency bump in the window; do not trust provenance attestation alone to clear a package.