TeamPCP / Mini Shai-Hulud supply-chain worm — wave 5 reaches Packagist (PHP); framework source code leaked; OpenAI named as victim

The Mini Shai-Hulud campaign (attributed to TeamPCP / UNC6780) dominated the week's supply-chain security coverage across all five daily briefs, each adding a new layer.

At the start of the coverage window (2026-05-12), the Checkmarx Jenkins AST plugin backdoor became the third Checkmarx ecosystem component compromised — TeamPCP's pivot from npm into a CI/CD tooling vendor's plugin distribution. By 2026-05-13, wave-4 npm packages (160+ versions) hit TanStack, UiPath, Mistral AI, and OpenSearch; the worm's self-propagating mechanism — OIDC-token reuse to publish new malicious versions under victim-held package namespaces — was fully documented by StepSecurity. By 2026-05-15, OpenAI was named as a victim of the wave-4 infection and conducted a code-signing certificate rotation; Datadog Security Labs published a full static analysis of the leaked "Shai-Hulud" offensive framework source code, documenting IDE-hook persistence (.claude/settings.json, .vscode/tasks.json), Sigstore-provenance-bypass techniques, and the multi-registry OIDC-token propagation architecture. By 2026-05-16, node-ipc (90+ dependent packages) was backdoored via expired-domain account takeover — a separate but thematically linked supply-chain incident. On 2026-05-16, Socket.dev and Semgrep confirmed wave 5: intercom/intercom-php@5.0.2 weaponised as a Composer plugin, extending the worm to PHP Packagist (20.7M lifetime installs). As of 2026-05-18, Cargo (Rust) and Maven (Java) have not been confirmed as targets.

Defenders: lock intercom/intercom-php to ≤ 5.0.1; audit Composer install logs for unexpected outbound connections from composer install processes; pre-stage hunts for IDE-hook entries in .claude/settings.json and .vscode/tasks.json; enable Sigstore provenance verification for npm packages; monitor OIDC token scope claims in CI/CD pipeline logs.