TeamPCP — threat actor targeting software supply chains

The supply-chain-worm family the W23 weekly consolidated under the Miasma/IronWorm banner spent this week proliferating across ecosystems and operators. On 9 June a SANS ISC handler tracked TeamPCP open-sourcing its Mini Shai-Hulud framework, immediately spawning a "Phantom Gyp" derivative (SANS ISC; daily 06-09). On 10 June the lineage opened a PyPI front dubbed "Hades" — 37 malicious wheels across 19 packages (The Hacker News; daily 06-10).

The week's largest wave hit the Arch User Repository. "Atomic Arch" began with roughly 400 orphaned AUR packages adopted and re-pointed to a Rust credential-stealer plus eBPF rootkit (The Hacker News; Sonatype; daily 06-13); a second wave around 12 June expanded the count further (tracker estimates range from the 400+ in primary reporting to ~1,500) and swapped some PKGBUILD delivery from npm dependency injection to bun install js-digest — active operator iteration against detection. The npm delivery mechanism has been linked by SANS ISC and subsequent reporting to the broader Shai-Hulud supply-chain family. Official Arch core/extra repositories were not affected; only adopted AUR packages. For defenders the through-line is constant: install-time script execution is the kill chain, and npm/bun/AUR build steps need to be treated as untrusted code execution in CI/CD.

GitHub announced that npm v12 (expected July 2026) disables dependency lifecycle scripts (preinstall/install/postinstall, including implicit node-gyp builds) by default, requires npm approve-scripts for explicit opt-in, and blocks Git/remote-URL dependencies without --allow-git/--allow-remote (GitHub Changelog, 2026-06-09). This is a structural response to the install-script abuse that powered this spring's npm worm wave (Shai-Hulud/Miasma, IronWorm, TeamPCP — coverage 2026-06-06 through 2026-06-10) and brings npm in line with other package managers that already block install scripts by default (BleepingComputer, 2026-06-11). The warnings are live today in npm ≥ 11.16.0. Defender takeaway: this is a breaking change with a security upside — run npm install under 11.16.0 now to enumerate deprecation warnings, build the script allow-list before v12 ships, and treat any pipeline that must keep scripts enabled wholesale as a finding.

UPDATE (originally covered 2026-06-06): A SANS ISC handler diary tracking the TeamPCP supply-chain campaign through 7 June reports the operators have open-sourced their Mini Shai-Hulud framework on GitHub, triggering a second wave of derivative campaigns (SANS ISC, 2026-06-08). Beyond the previously-covered Miasma worm — which compromised npm packages including Red Hat's @redhat-cloud-services scope (Wiz, 2026-06-01) — the diary names a newly-tracked Phantom Gyp campaign that abuses node-gyp / binding.gyp install-time script execution in compromised npm packages; both inject malicious CI/CD hooks (SANS ISC, 2026-06-08).

The diary's load-bearing detection-engineering point: valid SLSA provenance attestations do not protect against supply-chain injection when the build environment itself is subverted from the inside. The recommended shift is from attestation-verification to build-pipeline integrity — monitor GitHub Actions runner process trees for unexpected outbound network from within a build, alert on actions/upload-artifact shipping signed-but-anomalous binaries, and cross-check published package checksums against CI logs via independent transparency ledgers (e.g. Sigstore Rekor). EU/Swiss public-sector teams running npm-based automation or Red Hat tooling should audit CI/CD pipeline definitions for unexpected workflow-step insertions.

The Miasma arc produced the week's clearest attack-evolution story — two distinct technique pivots in five days, both in a single actor's ongoing CI/CD intrusion campaign.

Monday 2 June (daily 2026-06-02): TeamPCP used a compromised Red Hat maintainer GitHub account to inject malicious CI/CD workflows into 32 packages in the @redhat-cloud-services npm namespace via GitHub Actions OIDC trusted-publishing abuse, poisoning ~80,000–117,000 weekly downloads across 96 releases (Wiz; Aikido Security; Socket). The "Miasma" payload — a Mini Shai-Hulud descendant — swept GitHub Actions secrets, AWS keys, SSH keys, and added new dedicated collectors for GCP service-account and Azure managed-identity tokens, signalling a pivot from developer-host theft to cloud-account takeover.

Friday 6 June (daily 2026-06-06): Rather than continuing to poison npm packages, the actor shifted technique entirely: malicious commits were planted directly in the source repositories of 73 Microsoft and Microsoft-adjacent GitHub repos, wiring execution to AI coding agent workspace-config files rather than npm install lifecycle hooks (OpenSourceMalware; The Hacker News). GitHub disabled all 73 repos in a 105-second automated sweep. StepSecurity's forensic analysis found the entry credential was the same contributor account compromised in the May 19, 2026 PyPI attack (TeamPCP infrastructure overlap); full credential revocation was not confirmed. Azure Durable Task CI/CD pipelines that reference azure-functions-action were globally disrupted.

At week close, the Cargo (Rust) registry remained un-hit (the W22 looking-ahead prediction it was the next target was not confirmed in this window). The AI-coding-agent config injection vector is a structural expansion of the attack surface: any CI/CD environment where CLAUDE.md, .cursor/rules, or .gemini/ files are treated as executable code rather than data is now an active target class.

UPDATE (originally covered 2026-06-02): The Miasma worm — the TeamPCP-spawned descendant of the Mini Shai-Hulud lineage first covered against the Red Hat @redhat-cloud-services npm namespace — recompromised the durabletask package and propagated into the Microsoft GitHub estate. On 2026-06-05 GitHub disabled 73 repositories across the Azure, Azure-Samples, Microsoft and MicrosoftDocs organisations in a 105-second automated terms-of-service sweep, taking the entire Azure Durable Task family (.NET, Go, Java, JS, MSSQL, Netherite, protobuf) offline (OpenSourceMalware, 2026-06-05; The Hacker News, 2026-06-06).

The material delta from the 2026-06-02 coverage: the variant adds Azure CLI auth-cache and managed-identity token collectors (earlier Shai-Hulud strains targeted AWS and GitHub), and the recompromise traces to the same durabletask credential foothold from the May TeamPCP incident — i.e. credentials taken in May were never fully revoked. Azure Durable Task is a foundational dependency for Azure Functions / serverless workflows widely consumed in EU public-sector cloud deployments, so the downstream exposure is cloud infrastructure, not just developer machines.

Defender takeaway: audit ~/.azure/ credential stores on developer workstations and CI/CD runners that installed any affected @azure/* package; rotate Azure managed-identity tokens and Kubernetes service-account tokens on those systems; monitor GitHub audit logs for unexpected public-repo creation (the worm's secret-exfil-as-public-repo behaviour is what trips GitHub's automated sweep). Note the worm-vs-defender naming overlap is real here — "Miasma" is the attacker worm, not a tool.

Threat actor cluster TeamPCP used a compromised Red Hat maintainer GitHub account to inject malicious CI/CD workflows into 32 packages in the @redhat-cloud-services npm namespace, poisoning 96 releases across high-traffic packages — Wiz puts the combined weekly downloads at roughly 80,000, while Aikido counts closer to 117,000 (Wiz, 2026-06-01 · Aikido Security, 2026-06-01). Rather than compromising developer machines directly, the attack abused GitHub Actions OIDC trusted publishing so the CI/CD pipeline itself republished backdoored packages carrying obfuscated preinstall hooks. The "Miasma" payload — a new variant in the Mini Shai-Hulud / Shai-Hulud lineage — sweeps for GitHub Actions secrets, npm tokens, AWS keys, SSH keys, HashiCorp Vault and Kubernetes credentials, and now adds dedicated collectors for GCP service-account and Azure managed-identity tokens, signalling a pivot from developer-host theft toward cloud-account takeover (Socket, 2026-06-01). Wiz notes the new variant's cloud-identity focus explicitly.

Why it matters to us: Red Hat tooling has a broad EU public-sector DevOps footprint (OpenShift/OpenStack estates). Inventory installed @redhat-cloud-services/* versions across build agents and developer endpoints, alert on preinstall scripts spawning obfuscated node -e chains from npm/npx parent trees, and rotate any CI/CD cloud-identity tokens reachable from affected pipelines.

UPDATE (originally covered 2026-05-21, consolidated weekly update): SANS ISC handler Kenneth Hartman documents three material escalations in the TeamPCP / Mini Shai-Hulud supply-chain campaign through 2026-05-24 (SANS Internet Storm Center, 2026-05-25). First, the complete TeamPCP framework was published to a public GitHub repository on/around 2026-05-22 — Datadog Security Labs' static analysis (reported by ISC) describes a modular TypeScript/Bun toolkit for credential harvesting, supply-chain poisoning and encrypted exfiltration whose README carries the strings "Love - TeamPCP" and "Change keys and C2 as needed" — and operational copycat forks appeared within hours, commoditising the kit and injecting attribution noise.

Second, an @antv npm wave pushed 639 malicious versions across 323 packages, including high-traffic libraries such as echarts-for-react (~1.1M weekly downloads) and size-sensor (~4.2M weekly downloads); 42 of the packages displayed forged Sigstore verification badges in the npm UI (The Hacker News, 2026-05-19). Read against the campaign's earlier abuse of genuine SLSA Build Level 3 attestations produced by hijacked pipelines, package provenance is now under attack from both directions at once — real attestations from compromised CI and fake badges rendered by the registry UI. Third, three versions of durabletask (1.4.1–1.4.3) on PyPI — Microsoft's official Azure Durable Functions SDK — were trojanised, and ISC reports the second-stage payload includes a Linux disk wiper (T1485), expanding the campaign's capability from credential theft to data destruction.

Defender takeaway: treat any echarts-for-react / size-sensor build pulled in the affected window as compromised; stop treating an npm Sigstore badge or a displayed SLSA attestation as an install-time safety signal — verify provenance out-of-band against a known-good pipeline. durabletask consumers should audit build-runner logs for unexpected outbound connections and destructive disk operations (Sysmon EID 11 for anomalous file-deletion patterns, EID 3 for unexpected node/python egress from CI workers). Pin exact versions and verify lockfile hashes. The open-sourcing means PBKDF2-salt and dead-drop-string lineage will now also fire on unrelated copycats — behavioural detection on the install-time execution chain is more durable than any static artefact.

The npm-born self-propagating supply-chain worm widened on two axes this week. TrapDoor — a cross-ecosystem (npm / PyPI / crates) stealer campaign — was documented validating stolen tokens before exfiltration and poisoning AI-assistant configuration files to persist across developer sessions (2026-05-26). In parallel, the Mini Shai-Hulud / TeamPCP framework was open-sourced, a trojanised Microsoft PyPI SDK was shipped with a wiper stage, and the operators forged Sigstore provenance badges to launder trust (2026-05-26 update).

Read across the days, the trajectory is the story: the propagation primitive (OIDC-token reuse) is now commoditised, the blast radius spans three major registries, and the payload added a destructive option on top of credential theft. This connects directly to the W21 watch item flagging Cargo and Maven as the un-hit wave-6 candidate registries, and to the npm staged-publishing GA (§ 8) that is the first registry-level structural answer. Pre-stage Sigstore / provenance-anomaly hunts in Rust and Java dependency pipelines and gate internal publishing behind interactive promotion.

Beyond the in-window TrapDoor and framework-open-sourcing covered in § 2, horizon research surfaced a development the dailies missed. Wiz documented a fresh wave (2026-05-19) in which TeamPCP hijacked a legitimate maintainer account to poison the @antv data-visualisation ecosystem on npm (@antv/g2, g6, x6, l7 and others, collectively millions of weekly downloads), running the standard Mini Shai-Hulud credential-harvest against GitHub/npm tokens and cloud keys across 80+ file paths. OX Security and Security Affairs documented copycat clones spreading after the source-code leak. On the W21 watch list of un-hit registries: npm remains the only ecosystem with a primary-confirmed poisoning this wave — horizon research flagged unverified secondary reporting of Maven Central exposure via the mvnpm npm-to-Maven bridge, but this run could not corroborate it against a primary source, so it is not asserted here, and Cargo / crates.io status is likewise unverified. No GovCERT.ch / NCSC.ch developer advisory was found. Keep the provenance-anomaly hunt centred on npm and treat the mvnpm bridge as a plausible next vector to watch.

UPDATE (supply-chain worm wave, originally covered 2026-05-23): GitHub announced on 2026-05-22 that npm staged publishing is now Generally Available — a maintainer must run npm stage publish (npm CLI 11.15.0+), which uploads the version to a consumer-invisible staging queue, then pass a separate 2FA challenge to approve the release before it becomes installable (GitHub Changelog, 2026-05-22). This directly targets the automated mass-publish pattern behind the Megalodon GitHub-repo campaign (covered 2026-05-23) and the earlier mini-shai-hulud / TeamPCP npm waves, where many malicious versions were pushed in seconds via compromised maintainer sessions — a human-in-the-loop 2FA gate would have broken that tempo.

The same release adds three install-source restriction flags — --allow-file, --allow-remote and --allow-directory (each all | none) — letting CI/CD pipelines forbid installs from remote URLs or local paths, the vectors abused in several 2026 dependency-confusion and supply-chain campaigns (The Hacker News, 2026-05-23). For CH/EU public-sector development teams, the operational action is to enable staged publishing on org-owned packages and set --allow-remote none / --allow-directory none in production CI.

UPDATE (originally covered 2026-05-19, updated 2026-05-21): Unit 42 (Palo Alto Networks) and StepSecurity published concurrent technical analyses on 2026-05-21 of the TeamPCP Mini Shai-Hulud npm supply-chain campaign, establishing the defining novelty of this wave: the first documented case of malicious npm packages carrying valid SLSA Build Level 3 provenance attestations (Unit 42, 2026-05-21). Attackers compromised TanStack's legitimate GitHub Actions CI/CD pipeline's trusted OIDC identity mid-workflow — without stealing developer credentials — making the SLSA attestation genuine while the package payload was malicious. This invalidates "package carries valid provenance attestation" as a sufficient supply-chain integrity gate.

The execution chain runs tanstack_runner.js under the Bun JavaScript runtime, enumerating stored credentials including gh auth token capture (T1552.001 Unsecured Credentials: Credentials In Files); stolen npm tokens and GitHub PATs are used to backdoor every package the victim account can publish (T1650 Acquire Access), making the worm self-propagating across the npm ecosystem. By end of the 2026-05-11 wave, 373 malicious package versions across 169 npm packages and PyPI mirrors were active (Unit 42, 2026-05-21).

Defender actions from this technical update: (a) SLSA attestation verification is now insufficient as a sole gate — add runtime behavioural scanning of npm install scripts alongside provenance checks; (b) Pin GitHub Actions to commit SHAs, not mutable tags, to prevent mid-workflow OIDC identity hijack; (c) If pipelines ran npm publish during 2026-05-11 to 2026-05-12, rotate npm tokens and GitHub PATs and audit owned packages for unauthorised versions; (d) In environments where Bun is not an approved runtime, flag any bun or bun.js process execution from a CI runner context (Sysmon EID 1 process-name filter).

UPDATE (originally covered 2026-05-13 deep dive; multiple subsequent updates): three new TeamPCP / Mini Shai-Hulud developments landed in this window — GitHub itself, the official Microsoft durabletask PyPI package, and the Grafana Labs root-cause disclosure.

GitHub. GitHub confirmed on 2026-05-20 that TeamPCP (also tracked as UNC6780) accessed approximately 3,800 internal GitHub repositories after a single GitHub employee installed a poisoned Visual Studio Code extension on their device (The Hacker News, 2026-05-20; The Record, 2026-05-20; Infosecurity Magazine, 2026-05-20; Help Net Security, 2026-05-20). GitHub detected and contained the breach on 2026-05-19, isolated the affected endpoint and rotated high-impact secrets; the company states there is no evidence customer data stored outside the internal repositories was accessed. GitHub has not publicly named the malicious VS Code extension or its publisher at this writing. TeamPCP listed the stolen repositories — including GitHub Actions internals, agentic-workflow code, Copilot internal projects, CodeQL tools, Codespaces, Dependabot, and a Rails controller managing organisations and PRs — for sale at $50,000, with LAPSUS$ announcing a joint sale and a $95,000 asking price.

durabletask (PyPI). Wiz Security reported on 2026-05-20 that the TeamPCP / Mini Shai-Hulud worm compromised the official Microsoft durabletask PyPI package via versions 1.4.1, 1.4.2 and 1.4.3 (Wiz, 2026-05-20). The payload is a dropper that fetches rope.pyz from check.git-service[.]com; per Wiz the second stage is a full credential stealer targeting AWS, Azure, GCP, Kubernetes and Vault credentials, 1Password and Bitwarden vaults, filesystem credentials and shell history. Propagation per Wiz: on Kubernetes hosts the worm uses kubectl exec; on AWS EC2 instances it propagates via AWS Systems Manager SendCommand against up to 5 targets per host (T1078.004 Cloud Accounts, T1570 Lateral Tool Transfer).

Grafana Labs. Grafana Labs published the post-mortem of its own TeamPCP breach on 2026-05-19, confirming the root cause was a single GitHub Actions workflow token that slipped through the rotation process after the TanStack npm supply-chain attack (Grafana Labs, 2026-05-19; BleepingComputer, 2026-05-20). Per Grafana's own post-mortem the TanStack compromise was detected on 2026-05-11 (note: BleepingComputer cites 2026-05-01 for the malicious-package consumption event — surfaced as a contradiction in § 7); Grafana rotated the bulk of its GitHub workflow tokens, but the residual unrotated token gave TeamPCP access to clone private source-code repositories (exact count not disclosed in Grafana's post-mortem). Grafana refused the extortion demand on 2026-05-16. The exfiltration scope is confirmed limited to Grafana Labs GitHub repositories (public source code, private source code and internal repos); customer production data was not affected.

Defender takeaway: audit VS Code extension marketplace policies and consider a managed extensions allowlist via Group Policy / MDM (the VS Code marketplace does not enforce mandatory code-signing). Hunt — Sysmon EID 1 for code --install-extension invocations on developer endpoints; process trees where Code.exe or code-server spawn credential-access tools (git-credential-manager, aws configure, keychain access). Audit GitHub Actions OIDC token rotation completeness after any supply-chain incident; verify GitHub secret-scanning + push-protection are enabled on every org. CI/CD pipeline logs should be searched for durabletask imports in the 1.4.1–1.4.3 version range; treat any host that imported a malicious version as fully compromised. Review AWS SSM SendCommand audit logs for invocations that do not correspond to authorised maintenance windows.

UPDATE (originally covered 2026-05-13, 2026-05-15): Three concurrent developments show the TeamPCP / Shai-Hulud campaign has entered an open-source-imitator phase following Datadog Security Labs' 2026-05-13 analysis of the leaked Shai-Hulud worm source code. First, OX Security disclosed on 2026-05-17 four malicious npm packages published by deadcode09284814 — chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils — combined weekly downloads ~3,000 (OX Security, 2026-05-17; The Hacker News, 2026-05-18). chalk-tempalte is a near-unmodified clone of the leaked Shai-Hulud worm with a modified C2 server and a new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (see § 7); axois-utils bundles "Phantom Bot," a Golang HTTP/TCP/UDP/Reset-flood DDoS tool with Windows Startup folder and Linux scheduled-task persistence that survives package removal; the other two harvest SSH keys, cloud-provider credentials (AWS/GCP/Azure), and cryptocurrency wallet data.

Second, SANS ISC synthesised a 2026-05-18 campaign update confirming that Checkmarx officially acknowledged on 2026-05-11 that its Jenkins AST Scanner plugin had been trojanised — version 2026.5.09, compromise window 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC — making this TeamPCP's third confirmed Checkmarx intrusion in three months (SANS Internet Storm Center, 2026-05-18; Checkmarx, 2026-05-12). Hundreds of Jenkins controllers installed the malicious plugin before removal; remediated builds 2.0.13-848 and 2.0.13-847 are safe. CxSAST on-premise was unaffected; the cloud-integrated checkmarx/ast-github-action, checkmarx/kics-github-action, and VS Code extensions were all trojaned.

Third, SentinelLabs disclosed on 2026-05-07 — also folded into the SANS ISC summary — "PCPJack," a rival cloud worm that scans for exposed Docker, Kubernetes, Redis, MongoDB and RayML services and chains five CVEs (CVE-2025-29927 Next.js middleware auth bypass; CVE-2025-55182 Next.js Server Actions deserialization; CVE-2026-1357 WPVivid arbitrary file upload; CVE-2025-9501 W3 Total Cache RCE; CVE-2025-48703 CentOS Web Panel command injection) for initial access, then explicitly kills TeamPCP processes and removes TeamPCP artefacts before harvesting credentials — assessed by SentinelLabs with moderate confidence as possibly a former TeamPCP affiliate. Defender takeaway for the Swiss/EU public-sector SOC: developer endpoints and CI/CD runners with installed Checkmarx plugin should be audited for plugin versions outside the known-safe SHA range during the 2026-05-09 → 2026-05-10 window; npm audit and SBOM scans should flag the deadcode09284814 author/scope; egress from CI runners to *.lhr.life hostnames is a high-fidelity hunt pivot for the npm worm wave; Docker/Kubernetes/Redis/MongoDB endpoints exposed to the internet should be inventoried and removed from public exposure (PCPJack's scan list). MITRE T1195.002 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1041 (Exfiltration over C2 Channel).

If you did nothing this week: any pipeline that resolved an affected npm / PyPI / Packagist dependency, installed a poisoned VS Code extension, or was one of the 5,561 GitHub repositories mass-backdoored by the Megalodon sub-campaign has most likely had its OIDC tokens, cloud credentials and CI secrets exfiltrated — and GitHub itself was named in a breach claim this week.

The campaign escalated every day of the window (full trajectory in § 2). The defender-relevant constant is the propagation primitive: OIDC-token reuse across the registry trust boundary, plus IDE-hook and CI-workflow injection that runs at build time inside an already-trusted runner. Unit 42 and StepSecurity confirmed on 2026-05-21 that SLSA Build Level 3 provenance attestation is no longer a reliable integrity gate for these waves — the malicious build step executes inside the legitimately-attested pipeline, so the attestation signs the compromised artefact. Hunt for unexpected npm publish / npm stage events, outbound connections from CI runners to non-registry hosts, and IDE-hook entries (.vscode/tasks.json, .claude/settings.json) committed in dependency updates. Rotate any CI token that was live during a dependency bump in the window; do not trust provenance attestation alone to clear a package.

This is the week's defining chain. After the worm framework was open-sourced on 2026-05-12, the window saw it move from a single operator's tool to commodity capability, escalating almost daily:

• 2026-05-18 → 19 — First copycat wave: TeamPCP imitators deploy Phantom Bot plus SSH/cloud stealers, the Checkmarx Jenkins plugin is re-trojanised, and a rival "PCPJack" worm appears, per Ox Security (daily 2026-05-19). Same window: the Nx Console VS Code extension (2.2M installs) is pushed malicious for an 11-minute window (12:36–12:47 UTC, 2026-05-18) via stolen publisher credentials, and all 53 tags of actions-cool/issues-helper are moved to an imposter commit reading /proc/PID/mem of the Runner.Worker (daily 2026-05-20).
• 2026-05-21 — Escalation to platform scale: GitHub itself is named in a breach claim, Microsoft's official durabletask PyPI package is weaponised (propagating via AWS SSM and kubectl exec), and Grafana confirms a missed-token-rotation root cause (The Hacker News; daily 2026-05-21).
• 2026-05-22 — Unit 42 and StepSecurity publish concurrent analyses establishing that SLSA Build Level 3 provenance attestation is invalidated as an integrity gate for these waves — the malicious build step runs inside the legitimately-attested pipeline (Unit 42; daily 2026-05-22).
• 2026-05-23 (disclosure; event 2026-05-18) — SafeDep and OX Security disclose the Megalodon sub-campaign, which mass-poisoned 5,561 GitHub repositories in a ~6-hour window on 18 May using forged CI-bot identities and templated commit messages, harvesting cloud credentials and OIDC tokens (SafeDep; daily 2026-05-23). A further Packagist/Laravel-Lang compromise is reported the same day (daily 2026-05-24).

Two in-window synthesis documents consolidate the picture. The Cloud Security Alliance research note (2026-05-22) frames the whole event as a two-wave attack: Wave 1 (Mini Shai-Hulud, 29 Apr – 12 May) hijacked TanStack's GitHub Actions runner via a pull_request_target trigger plus Actions cache poisoning, extracted a live OIDC token from runner process memory via /proc/PID/mem, obtained a Sigstore signing certificate from Fulcio, and produced SLSA BL3 provenance attestations for 404 malicious package versions across 172 packages (CVE-2026-45321, CVSS 9.6) — the first publicly-documented hijack of trusted build pipelines to generate attestation-bearing malicious artefacts. Wave 2 (Megalodon, from 18 May) pushed 5,718 commits to 5,561 repos in under six hours, harvesting AWS IAM, GCP/Azure IMDS, SSH, Docker auth, .npmrc, .netrc, Kubernetes configs, Vault tokens and Terraform state. Separately, GitHub's official post-incident blog (2026-05-20) confirmed an employee device was compromised via the poisoned Nx Console extension (GHSA-c9j4-9m59-847w) and ~3,800 GitHub-internal repositories were exfiltrated, with no customer-data impact found as of publication and a fuller report still outstanding.

Defender takeaways: set permissions: id-token: none on workflows that do not need OIDC; disable or isolate pull_request_target for fork PRs (permissions: contents: read); treat Git commit author/committer fields as unverified free text (use contributor allow-lists / push-rule bypass-actor audit events to catch Megalodon-style forged identities); audit Sigstore Rekor for unexpected signing events from your own pipeline identity; and do not accept SLSA BL3 attestation alone as a clean-package signal.

The TeamPCP / Mini Shai-Hulud story spans every working day of 2026-W20 and the daily briefs add a piece each day. Tuesday 2026-05-12: an attacker briefly published what appears to be the complete Shai-Hulud framework source (TypeScript / Bun) to a public GitHub repository attributed to TeamPCP, taken down within hours but mirrored widely; the public source disclosure inverts the threat model — every IDE, EDR, and PR-review vendor now has access to the same artefact the operator was using but defenders must assume new variants will appear with one to two days' lead-time on signatures (Datadog Security Labs static analysis, 2026-05-13; daily 2026-05-15 UPDATE). Wednesday 2026-05-13: Wave 4 hits — 170+ packages / 400+ malicious versions compromised per daily-brief tracking across @tanstack (including react-router, ~12M weekly downloads), @uipath, @mistralai, @opensearch-project, and @guardrails-ai; the Wiz writeup confirms the same TeamPCP / UNC6780 / PCPJack attribution as prior waves (Wiz Blog, 2026-05-11; daily 2026-05-13 UPDATE). Friday 2026-05-15: OpenAI named as a victim; the company enforces code-signing certificate rotation across all macOS apps as remediation (daily 2026-05-15 UPDATE).

What W1 horizon research surfaced that the dailies could not yet see: Datadog's static analysis of the leaked source reveals two new capability classes that change the defender posture. First, IDE persistence via hook entries in .claude/settings.json (Claude Code) and .vscode/tasks.json — allowing arbitrary command execution on developer-workspace events; this is not a build-time supply-chain primitive but a developer-workstation persistence mechanism that survives npm install cleanup and outlives the malicious-package removal. Second, OIDC token extraction directly from /proc/<pid>/mem on GitHub Actions runners, used to forge Sigstore provenance attestations — meaning malicious packages can be published that are indistinguishable from legitimate ones by provenance verification alone. The W19 weekly already flagged ShinyHunters / WorldLeaks as a long-running operator-family pattern; the TeamPCP / Mini Shai-Hulud progression confirms a parallel ecosystem maturing on the npm registry side, now with publication-provenance forgery in the toolset. The leaked framework source materially elevates the risk of secondary operators applying Shai-Hulud-style techniques against other package registries (PyPI, Cargo, Maven Central) in 2026-W21 (Datadog Security Labs).

The defender pivot is two-fold: (1) for DevOps pipelines, provenance verification is necessary but no longer sufficient — supplement with publisher-pinning, two-factor publish enforcement, and post-install hash-pinning; (2) for developer workstations, treat .claude/settings.json / .vscode/tasks.json / equivalent IDE hook files as security-relevant configuration and add them to file-integrity-monitoring scope. The Datadog filesystem indicators (gh-token-monitor daemon process, claude@users.noreply.github.com commits in unexpected repositories, exfil-repo names matching "Shai-Hulud: Here We Go Again") are the right hunt seeds.

The Mini Shai-Hulud / TeamPCP propagation across @tanstack, @uipath, @mistralai, @opensearch-project, @guardrails-ai, and OpenAI consolidates a sector pattern first surfaced in W19: AI-evaluation, AI-observability, AI-agent-orchestration, and AI-tooling SaaS vendors all sit on architectures that aggregate organisation-level upstream credentials (LLM-provider API keys, GitHub Actions OIDC tokens, package-publish certificates) — and the operator class active this quarter is mining that aggregation pattern systematically. See § 2 for the cross-day chain and § 7 for long-running campaign status.

Datadog Security Labs published a static analysis of the leaked Shai-Hulud framework source on 2026-05-13 (covered daily 2026-05-15). The synthesis the daily had room for was the high-level capability summary; the cross-finding lens worth surfacing here: this is the first publicly-available complete-source reverse-engineering of an active npm-supply-chain operator's toolkit, comparable to the value the leaked Conti chats provided in 2022 for ransomware-affiliate defender intelligence. Detection-engineering teams now have a non-IOC behavioural reference for the entire TeamPCP toolchain: IDE-persistence hook patterns, OIDC-token extraction from /proc/<pid>/mem, Sigstore-provenance forgery primitives, GitHub Actions dead-drop conventions. The Datadog post-leak ecosystem-monitoring methodology (matching commits, repo names, hook configurations) is portable to any organisation with developer-workstation file-integrity monitoring; the broader implication is that publication-provenance verification is no longer sufficient as a sole supply-chain control (Datadog Security Labs).

Full coverage in § 2 (multi-day chain). Status-update register: long-running operator-family pattern continues; wave 4 (170+ packages / 400+ versions per daily-brief tracking) is the largest documented npm-supply-chain wave to date; the leaked framework source materially changes both attacker and defender posture and elevates the risk of secondary operators applying the same techniques against PyPI / Cargo / Maven Central in 2026-W21. The ShinyHunters / WorldLeaks family logged in W19's long-running record (item:shinyhunters-worldleaks-family) overlaps in operator targeting (AI-tooling SaaS, multi-tenant credential aggregation) with TeamPCP's npm-side ecosystem — the two clusters appear to be operating in parallel across the SaaS and registry attack surfaces with no public attribution merging them.

Sophos published its State of Identity Security 2026 survey on 2026-05-14, drawing on responses from IT and cybersecurity leaders across 17 countries (Help Net Security, 2026-05-14). The headline finding is that more than 70% of surveyed organisations experienced at least one identity-related breach in the prior 12 months. Swiss organisations recorded the highest breach incidence among all surveyed countries. Sector analysis places energy, oil/gas, and utilities alongside federal government as the verticals with the highest breach rates — and two-thirds of ransomware victims in the survey attributed initial access to an identity compromise: stolen credentials, session hijacking, or MFA bypass. The survey corroborates NCSC-CH's sustained advisory focus on credential abuse and the trend visible across this brief series (Lumma Stealer takedown, FamousSparrow credential harvesting, TeamPCP OIDC token theft). Defenders in CH/EU public-sector environments should audit conditional access policies and MFA resilience controls — particularly for energy-sector service accounts and Entra ID/ADFS federations — against the pattern of phishing-resistant MFA requirements in NCSC-CH guidance.

UPDATE (originally covered 2026-05-13): OpenAI disclosed on approximately 2026-05-13 that two employee devices were compromised through the TanStack npm supply-chain attack (Mini Shai-Hulud / TeamPCP, first covered in this brief series on 2026-05-12 and 2026-05-13) and that the compromise affected OpenAI's macOS code-signing certificates (TechCrunch, 2026-05-14 · The Record, 2026-05-14).

The attackers exfiltrated "limited credential material" from internal source code repositories accessible to the two affected employees; OpenAI states no customer data, production systems, or core intellectual property were accessed. Critically, the certificate used to sign OpenAI's macOS desktop applications (ChatGPT for macOS and related apps) was among the compromised material, triggering an emergency certificate rotation. OpenAI is requiring all macOS app users to update to the latest version before June 12, 2026, after which older builds will lose functionality and macOS Gatekeeper notarization will block apps signed with the compromised certificate. Enterprise MDM administrators with OpenAI macOS apps in their managed fleet should push a forced update immediately. Threat attribution is unofficially assessed as TeamPCP (the same actor behind the broader TanStack worm), consistent with prior reporting on the actor's OIDC token theft and credential exfiltration goals.

UPDATE (2026-05-13 — follows TeamPCP coverage 2026-05-13): Datadog Security Labs published an analysis of the TeamPCP "Shai-Hulud" offensive worm source code on 2026-05-13, after the complete framework was briefly accessible as a public GitHub repository on 2026-05-12 before the account was removed (Datadog Security Labs, 2026-05-13). The brief public exposure gave researchers direct visibility into the worm's internal architecture: it is a TypeScript/Bun toolkit that automates GitHub Actions pwn-request exploitation — specifically targeting pull_request_target workflows that perform unsanitized checkouts — to harvest OIDC tokens and GITHUB_TOKEN values, then propagate across npm packages using the stolen credentials. The automation is fully self-contained; victim-repository selection is not manually guided, consistent with the worm-class spread observed in the original TanStack campaign. The leaked code also exposes the environment-variable injection technique (${{ github.event.pull_request.head.sha }} substitution in run steps) as a key primitive. Defenders should not execute the leaked code. The architectural disclosure accelerates defensive posture: prioritise auditing pull_request_target triggers with checkout steps in the same job, review OIDC token permission scopes, and apply environment variable sanitization. MITRE ATT&CK: T1195.002 (Compromise Software Supply Chain), T1552.001 (Credentials in Files), T1059.004 (Unix Shell).

UPDATE (originally covered 2026-05-10): Between 19:20 and 19:26 UTC on 2026-05-11, TeamPCP's Mini Shai-Hulud self-propagating worm executed its largest campaign to date, compromising 160+ malicious versions across @tanstack/* (42 packages including @tanstack/react-router at ~12M weekly downloads), @uipath/* (60+ packages), @mistralai/*, @opensearch-project/opensearch, @squawk/*, @draftlab/* and @tallyui/*, plus two PyPI packages (StepSecurity analysis, 2026-05-11; TanStack post-mortem, 2026-05-12; Wiz, 2026-05-12; NCSC-CH Security Hub #12558, 2026-05-12).

The novel attack chain (decomposed in § 5) is materially different from the 2026-05-10 SAP-CAP campaign: the operator (voicproducoes, GitHub account ID 269549300) submitted a poisoned PR to a target repository that triggered a pull_request_target workflow, used that privileged workflow to seed a malicious pnpm store into the GitHub Actions cache, then waited for legitimate maintainer merges to main — the release workflow restored the poisoned cache, attacker-controlled binaries extracted GitHub Actions OIDC tokens from /proc/<pid>/mem, and the worm used npm's token-exchange endpoint to publish trojanised package versions with valid SLSA Build Level 3 provenance attestations. The provenance bypass is the most significant evolution — SLSA L3 was the supply-chain assurance many EU public-sector procurement frameworks were starting to rely on, and this campaign demonstrates it is forgeable without abusing the package's own publish step.

Operational delta for defenders: SAP Note #3747787 (HotNews) acknowledges CAP-package impact and ships a clean version list. UiPath impact is the highest-priority public-sector signal — UiPath RPA is widely deployed in Swiss federal e-government automation and EU agency back-offices; review package-lock.json / pnpm-lock.yaml in every UiPath-using pipeline against the StepSecurity / Wiz package-version manifest. Before revoking any GitHub PAT or npm token, sanitise the developer machine first — token revocation triggers the worm's gh-token-monitor dead-man's switch that executes rm -rf ~/ on the affected workstation. Mapped to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain, T1552.001 Unsecured Credentials: Credentials in Files, T1078.004 Cloud Accounts.

UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the actor's signature naming "Checkmarx-Fully-Hacked-by-TeamPCP") to the Jenkins Marketplace. Any Jenkins instance configured to auto-update the AST plugin during that window pulled the malicious build and executed the SANDCLOCK credential stealer in the runner context (Checkmarx — Ongoing Security Updates, last updated 2026-05-09; The Hacker News, 2026-05-11; SecurityWeek, 2026-05-11).

SANDCLOCK targets every secret reachable from a typical CI/CD pipeline environment: GitHub Personal Access Tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, Docker / OCI registry credentials, SSH keys, and Checkmarx One API tokens. Affected pipelines should be treated as full secrets-compromise events: every credential the runner could read must be rotated and any artefact built or deployed in the window audited. Checkmarx's ongoing-security-updates page specifies plugin version 2.0.13-829.vc72453fa_1c16 (published December 2025) as the safe pinned version; a CVE has been issued as CVE-2026-33634 per the Checkmarx advisory. This is the third Checkmarx-product supply-chain compromise by this actor in three months, after the March 2026 KICS Docker image and the April 2026 VS Code extension defacement — the cadence and the actor's naming convention indicate persistent targeting of the Checkmarx product line specifically, not opportunistic distribution-channel abuse.

Mapped to T1195.002 Compromise Software Supply Chain and T1552.001 Credentials In Files. The GTIG AI Threat Tracker (see § 5) attributes SANDCLOCK specifically to TeamPCP and flags the stealer as explicitly designed to harvest LLM API keys in addition to traditional cloud credentials — consistent with the actor's pivot to monetising stolen LLM access. Defender pivot: inventory every Jenkins plugin auto-update enabled across CI/CD estates; constrain runners to short-lived OIDC-federated credentials (no long-lived PATs in runner env) where the platform supports it; audit Checkmarx One API logs for unexpected source IPs since 2026-05-09.

Concrete posture changes a Swiss federal / cantonal / EU public-sector SOC can implement based on this report alone, in priority order:

1. Egress allowlisting for LLM-API endpoints: only workloads where LLM access is justified should be permitted outbound to *.googleapis.com/v1beta/, api.openai.com/v1/, api.anthropic.com/, etc. — enforce at SWG and at host firewall on production servers. Catches PROMPTFLUX / HONESTCUE / CANFAIL-class runtime LLM calls from workloads that should not be making them.
2. LLM-API-key secrets management: treat as Tier-1; rotate quarterly minimum; enable provider-side usage alerting on per-key baselines.
3. Exploit-artefact LLM-output heuristics added to triage pipelines for PoC scripts pulled from public sources — docstring-density / hallucinated-metadata / ANSI-bootstrap pattern, used as a triage prior, not a verdict.
4. CI/CD secrets hygiene at the runner level — directly applicable both to the AI-key theft trend and to the SANDCLOCK / TeamPCP Jenkins compromise carried as the § 4 UPDATE. OIDC-federated short-lived credentials where the platform supports it; no long-lived PATs in runner environment.
5. Behavioural-sequence detector cross-validation: where ML-based EDR is in use, validate against API-call-sequence pollution by sampling current detection thresholds against synthetic LLM-generated benign sequences.

Current state: SentinelLabs documented PCPJack on 2026-05-07 as a worm-class framework that evicts and deletes existing TeamPCP artefacts on compromise (giving the framework its name), then deploys six Python modules harvesting credentials from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). Propagation targets are pulled from Common Crawl Parquet files rather than ad-hoc scanning — far broader curated attack surface than typical opportunistic worms. Weaponises five public CVEs simultaneously (CVE-2025-29927 Next.js, CVE-2025-55182 React2Shell, CVE-2026-1357 WPVivid, CVE-2025-9501 W3 Total Cache, CVE-2025-48703 CWP). The TeamPCP → PCPJack succession overlay is the operational specific worth tracking: SentinelLabs explicitly states there is no evidence yet of a direct operator-level connection, while the eviction logic implies operators familiar with TeamPCP's target population. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08 · daily 2026-05-10). The earlier TeamPCP "Mini Shai-Hulud" SAP CAP npm worm (covered 2026-05-06) used Claude Code SessionStart hooks and VSCode tasks for propagation — that thread is separate from PCPJack's CVE-chain propagation but the same operator population is tracked.

SentinelLabs documented PCPJack on 2026-05-07, a worm-class framework that propagates across exposed cloud and web infrastructure by chaining five public CVEs simultaneously: CVE-2025-29927 (Next.js middleware authorisation bypass via crafted header), CVE-2025-55182 ("React2Shell" — Server Actions deserialisation in React/Next.js), CVE-2026-1357 (unauthenticated file upload in WPVivid Backup), CVE-2025-9501 (PHP injection in W3 Total Cache via the mfunc comment processor) and CVE-2025-48703 (shell injection in the CentOS Web Panel FileManager) (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08). The bootstrap shell script first evicts and deletes existing TeamPCP artefacts from the host (giving the framework its name), then deploys six Python modules covering credential extraction from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). A second-stage tooling drops Sliver C2 beacons.

Exfiltration uses Telegram channels with ChaCha20-Poly1305 encryption; propagation target lists are pulled from Common Crawl Parquet files rather than scanned ad-hoc, which gives the campaign a far broader and more curated attack surface than typical opportunistic scanning. Unlike TeamPCP and TeamTNT which monetise via cryptominers, PCPJack drops no miner — SentinelLabs assesses monetisation as credential fraud, spam, access resale, or extortion (SentinelLabs, 2026-05-07). SentinelLabs notes TTP overlap with TeamPCP and frames PCPJack as a possible former affiliate or breakaway operation. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised.