Mini Shai-Hulud / TrapDoor — the supply-chain worm goes cross-ecosystem, open-source and destructive

The npm-born self-propagating supply-chain worm widened on two axes this week. TrapDoor — a cross-ecosystem (npm / PyPI / crates) stealer campaign — was documented validating stolen tokens before exfiltration and poisoning AI-assistant configuration files to persist across developer sessions (2026-05-26). In parallel, the Mini Shai-Hulud / TeamPCP framework was open-sourced, a trojanised Microsoft PyPI SDK was shipped with a wiper stage, and the operators forged Sigstore provenance badges to launder trust (2026-05-26 update).

Read across the days, the trajectory is the story: the propagation primitive (OIDC-token reuse) is now commoditised, the blast radius spans three major registries, and the payload added a destructive option on top of credential theft. This connects directly to the W21 watch item flagging Cargo and Maven as the un-hit wave-6 candidate registries, and to the npm staged-publishing GA (§ 8) that is the first registry-level structural answer. Pre-stage Sigstore / provenance-anomaly hunts in Rust and Java dependency pipelines and gate internal publishing behind interactive promotion.