TeamPCP Mini Shai-Hulud framework open-sourced; Phantom Gyp derivative

UPDATE (originally covered 2026-06-06): A SANS ISC handler diary tracking the TeamPCP supply-chain campaign through 7 June reports the operators have open-sourced their Mini Shai-Hulud framework on GitHub, triggering a second wave of derivative campaigns (SANS ISC, 2026-06-08). Beyond the previously-covered Miasma worm — which compromised npm packages including Red Hat's @redhat-cloud-services scope (Wiz, 2026-06-01) — the diary names a newly-tracked Phantom Gyp campaign that abuses node-gyp / binding.gyp install-time script execution in compromised npm packages; both inject malicious CI/CD hooks (SANS ISC, 2026-06-08).

The diary's load-bearing detection-engineering point: valid SLSA provenance attestations do not protect against supply-chain injection when the build environment itself is subverted from the inside. The recommended shift is from attestation-verification to build-pipeline integrity — monitor GitHub Actions runner process trees for unexpected outbound network from within a build, alert on actions/upload-artifact shipping signed-but-anomalous binaries, and cross-check published package checksums against CI logs via independent transparency ledgers (e.g. Sigstore Rekor). EU/Swiss public-sector teams running npm-based automation or Red Hat tooling should audit CI/CD pipeline definitions for unexpected workflow-step insertions.

The Miasma arc produced the week's clearest attack-evolution story — two distinct technique pivots in five days, both in a single actor's ongoing CI/CD intrusion campaign.

Monday 2 June (daily 2026-06-02): TeamPCP used a compromised Red Hat maintainer GitHub account to inject malicious CI/CD workflows into 32 packages in the @redhat-cloud-services npm namespace via GitHub Actions OIDC trusted-publishing abuse, poisoning ~80,000–117,000 weekly downloads across 96 releases (Wiz; Aikido Security; Socket). The "Miasma" payload — a Mini Shai-Hulud descendant — swept GitHub Actions secrets, AWS keys, SSH keys, and added new dedicated collectors for GCP service-account and Azure managed-identity tokens, signalling a pivot from developer-host theft to cloud-account takeover.

Friday 6 June (daily 2026-06-06): Rather than continuing to poison npm packages, the actor shifted technique entirely: malicious commits were planted directly in the source repositories of 73 Microsoft and Microsoft-adjacent GitHub repos, wiring execution to AI coding agent workspace-config files rather than npm install lifecycle hooks (OpenSourceMalware; The Hacker News). GitHub disabled all 73 repos in a 105-second automated sweep. StepSecurity's forensic analysis found the entry credential was the same contributor account compromised in the May 19, 2026 PyPI attack (TeamPCP infrastructure overlap); full credential revocation was not confirmed. Azure Durable Task CI/CD pipelines that reference azure-functions-action were globally disrupted.

At week close, the Cargo (Rust) registry remained un-hit (the W22 looking-ahead prediction it was the next target was not confirmed in this window). The AI-coding-agent config injection vector is a structural expansion of the attack surface: any CI/CD environment where CLAUDE.md, .cursor/rules, or .gemini/ files are treated as executable code rather than data is now an active target class.

UPDATE (originally covered 2026-05-21, consolidated weekly update): SANS ISC handler Kenneth Hartman documents three material escalations in the TeamPCP / Mini Shai-Hulud supply-chain campaign through 2026-05-24 (SANS Internet Storm Center, 2026-05-25). First, the complete TeamPCP framework was published to a public GitHub repository on/around 2026-05-22 — Datadog Security Labs' static analysis (reported by ISC) describes a modular TypeScript/Bun toolkit for credential harvesting, supply-chain poisoning and encrypted exfiltration whose README carries the strings "Love - TeamPCP" and "Change keys and C2 as needed" — and operational copycat forks appeared within hours, commoditising the kit and injecting attribution noise.

Second, an @antv npm wave pushed 639 malicious versions across 323 packages, including high-traffic libraries such as echarts-for-react (~1.1M weekly downloads) and size-sensor (~4.2M weekly downloads); 42 of the packages displayed forged Sigstore verification badges in the npm UI (The Hacker News, 2026-05-19). Read against the campaign's earlier abuse of genuine SLSA Build Level 3 attestations produced by hijacked pipelines, package provenance is now under attack from both directions at once — real attestations from compromised CI and fake badges rendered by the registry UI. Third, three versions of durabletask (1.4.1–1.4.3) on PyPI — Microsoft's official Azure Durable Functions SDK — were trojanised, and ISC reports the second-stage payload includes a Linux disk wiper (T1485), expanding the campaign's capability from credential theft to data destruction.

Defender takeaway: treat any echarts-for-react / size-sensor build pulled in the affected window as compromised; stop treating an npm Sigstore badge or a displayed SLSA attestation as an install-time safety signal — verify provenance out-of-band against a known-good pipeline. durabletask consumers should audit build-runner logs for unexpected outbound connections and destructive disk operations (Sysmon EID 11 for anomalous file-deletion patterns, EID 3 for unexpected node/python egress from CI workers). Pin exact versions and verify lockfile hashes. The open-sourcing means PBKDF2-salt and dead-drop-string lineage will now also fire on unrelated copycats — behavioural detection on the install-time execution chain is more durable than any static artefact.

Beyond the in-window TrapDoor and framework-open-sourcing covered in § 2, horizon research surfaced a development the dailies missed. Wiz documented a fresh wave (2026-05-19) in which TeamPCP hijacked a legitimate maintainer account to poison the @antv data-visualisation ecosystem on npm (@antv/g2, g6, x6, l7 and others, collectively millions of weekly downloads), running the standard Mini Shai-Hulud credential-harvest against GitHub/npm tokens and cloud keys across 80+ file paths. OX Security and Security Affairs documented copycat clones spreading after the source-code leak. On the W21 watch list of un-hit registries: npm remains the only ecosystem with a primary-confirmed poisoning this wave — horizon research flagged unverified secondary reporting of Maven Central exposure via the mvnpm npm-to-Maven bridge, but this run could not corroborate it against a primary source, so it is not asserted here, and Cargo / crates.io status is likewise unverified. No GovCERT.ch / NCSC.ch developer advisory was found. Keep the provenance-anomaly hunt centred on npm and treat the mvnpm bridge as a plausible next vector to watch.

UPDATE (originally covered 2026-05-19, updated 2026-05-21): Unit 42 (Palo Alto Networks) and StepSecurity published concurrent technical analyses on 2026-05-21 of the TeamPCP Mini Shai-Hulud npm supply-chain campaign, establishing the defining novelty of this wave: the first documented case of malicious npm packages carrying valid SLSA Build Level 3 provenance attestations (Unit 42, 2026-05-21). Attackers compromised TanStack's legitimate GitHub Actions CI/CD pipeline's trusted OIDC identity mid-workflow — without stealing developer credentials — making the SLSA attestation genuine while the package payload was malicious. This invalidates "package carries valid provenance attestation" as a sufficient supply-chain integrity gate.

The execution chain runs tanstack_runner.js under the Bun JavaScript runtime, enumerating stored credentials including gh auth token capture (T1552.001 Unsecured Credentials: Credentials In Files); stolen npm tokens and GitHub PATs are used to backdoor every package the victim account can publish (T1650 Acquire Access), making the worm self-propagating across the npm ecosystem. By end of the 2026-05-11 wave, 373 malicious package versions across 169 npm packages and PyPI mirrors were active (Unit 42, 2026-05-21).

Defender actions from this technical update: (a) SLSA attestation verification is now insufficient as a sole gate — add runtime behavioural scanning of npm install scripts alongside provenance checks; (b) Pin GitHub Actions to commit SHAs, not mutable tags, to prevent mid-workflow OIDC identity hijack; (c) If pipelines ran npm publish during 2026-05-11 to 2026-05-12, rotate npm tokens and GitHub PATs and audit owned packages for unauthorised versions; (d) In environments where Bun is not an approved runtime, flag any bun or bun.js process execution from a CI runner context (Sysmon EID 1 process-name filter).

UPDATE (originally covered 2026-05-13 deep dive; multiple subsequent updates): three new TeamPCP / Mini Shai-Hulud developments landed in this window — GitHub itself, the official Microsoft durabletask PyPI package, and the Grafana Labs root-cause disclosure.

GitHub. GitHub confirmed on 2026-05-20 that TeamPCP (also tracked as UNC6780) accessed approximately 3,800 internal GitHub repositories after a single GitHub employee installed a poisoned Visual Studio Code extension on their device (The Hacker News, 2026-05-20; The Record, 2026-05-20; Infosecurity Magazine, 2026-05-20; Help Net Security, 2026-05-20). GitHub detected and contained the breach on 2026-05-19, isolated the affected endpoint and rotated high-impact secrets; the company states there is no evidence customer data stored outside the internal repositories was accessed. GitHub has not publicly named the malicious VS Code extension or its publisher at this writing. TeamPCP listed the stolen repositories — including GitHub Actions internals, agentic-workflow code, Copilot internal projects, CodeQL tools, Codespaces, Dependabot, and a Rails controller managing organisations and PRs — for sale at $50,000, with LAPSUS$ announcing a joint sale and a $95,000 asking price.

durabletask (PyPI). Wiz Security reported on 2026-05-20 that the TeamPCP / Mini Shai-Hulud worm compromised the official Microsoft durabletask PyPI package via versions 1.4.1, 1.4.2 and 1.4.3 (Wiz, 2026-05-20). The payload is a dropper that fetches rope.pyz from check.git-service[.]com; per Wiz the second stage is a full credential stealer targeting AWS, Azure, GCP, Kubernetes and Vault credentials, 1Password and Bitwarden vaults, filesystem credentials and shell history. Propagation per Wiz: on Kubernetes hosts the worm uses kubectl exec; on AWS EC2 instances it propagates via AWS Systems Manager SendCommand against up to 5 targets per host (T1078.004 Cloud Accounts, T1570 Lateral Tool Transfer).

Grafana Labs. Grafana Labs published the post-mortem of its own TeamPCP breach on 2026-05-19, confirming the root cause was a single GitHub Actions workflow token that slipped through the rotation process after the TanStack npm supply-chain attack (Grafana Labs, 2026-05-19; BleepingComputer, 2026-05-20). Per Grafana's own post-mortem the TanStack compromise was detected on 2026-05-11 (note: BleepingComputer cites 2026-05-01 for the malicious-package consumption event — surfaced as a contradiction in § 7); Grafana rotated the bulk of its GitHub workflow tokens, but the residual unrotated token gave TeamPCP access to clone private source-code repositories (exact count not disclosed in Grafana's post-mortem). Grafana refused the extortion demand on 2026-05-16. The exfiltration scope is confirmed limited to Grafana Labs GitHub repositories (public source code, private source code and internal repos); customer production data was not affected.

Defender takeaway: audit VS Code extension marketplace policies and consider a managed extensions allowlist via Group Policy / MDM (the VS Code marketplace does not enforce mandatory code-signing). Hunt — Sysmon EID 1 for code --install-extension invocations on developer endpoints; process trees where Code.exe or code-server spawn credential-access tools (git-credential-manager, aws configure, keychain access). Audit GitHub Actions OIDC token rotation completeness after any supply-chain incident; verify GitHub secret-scanning + push-protection are enabled on every org. CI/CD pipeline logs should be searched for durabletask imports in the 1.4.1–1.4.3 version range; treat any host that imported a malicious version as fully compromised. Review AWS SSM SendCommand audit logs for invocations that do not correspond to authorised maintenance windows.

UPDATE (originally covered 2026-05-13, 2026-05-15): Three concurrent developments show the TeamPCP / Shai-Hulud campaign has entered an open-source-imitator phase following Datadog Security Labs' 2026-05-13 analysis of the leaked Shai-Hulud worm source code. First, OX Security disclosed on 2026-05-17 four malicious npm packages published by deadcode09284814 — chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils — combined weekly downloads ~3,000 (OX Security, 2026-05-17; The Hacker News, 2026-05-18). chalk-tempalte is a near-unmodified clone of the leaked Shai-Hulud worm with a modified C2 server and a new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (see § 7); axois-utils bundles "Phantom Bot," a Golang HTTP/TCP/UDP/Reset-flood DDoS tool with Windows Startup folder and Linux scheduled-task persistence that survives package removal; the other two harvest SSH keys, cloud-provider credentials (AWS/GCP/Azure), and cryptocurrency wallet data.

Second, SANS ISC synthesised a 2026-05-18 campaign update confirming that Checkmarx officially acknowledged on 2026-05-11 that its Jenkins AST Scanner plugin had been trojanised — version 2026.5.09, compromise window 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC — making this TeamPCP's third confirmed Checkmarx intrusion in three months (SANS Internet Storm Center, 2026-05-18; Checkmarx, 2026-05-12). Hundreds of Jenkins controllers installed the malicious plugin before removal; remediated builds 2.0.13-848 and 2.0.13-847 are safe. CxSAST on-premise was unaffected; the cloud-integrated checkmarx/ast-github-action, checkmarx/kics-github-action, and VS Code extensions were all trojaned.

Third, SentinelLabs disclosed on 2026-05-07 — also folded into the SANS ISC summary — "PCPJack," a rival cloud worm that scans for exposed Docker, Kubernetes, Redis, MongoDB and RayML services and chains five CVEs (CVE-2025-29927 Next.js middleware auth bypass; CVE-2025-55182 Next.js Server Actions deserialization; CVE-2026-1357 WPVivid arbitrary file upload; CVE-2025-9501 W3 Total Cache RCE; CVE-2025-48703 CentOS Web Panel command injection) for initial access, then explicitly kills TeamPCP processes and removes TeamPCP artefacts before harvesting credentials — assessed by SentinelLabs with moderate confidence as possibly a former TeamPCP affiliate. Defender takeaway for the Swiss/EU public-sector SOC: developer endpoints and CI/CD runners with installed Checkmarx plugin should be audited for plugin versions outside the known-safe SHA range during the 2026-05-09 → 2026-05-10 window; npm audit and SBOM scans should flag the deadcode09284814 author/scope; egress from CI runners to *.lhr.life hostnames is a high-fidelity hunt pivot for the npm worm wave; Docker/Kubernetes/Redis/MongoDB endpoints exposed to the internet should be inventoried and removed from public exposure (PCPJack's scan list). MITRE T1195.002 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1041 (Exfiltration over C2 Channel).

If you did nothing this week: any pipeline that resolved an affected npm / PyPI / Packagist dependency, installed a poisoned VS Code extension, or was one of the 5,561 GitHub repositories mass-backdoored by the Megalodon sub-campaign has most likely had its OIDC tokens, cloud credentials and CI secrets exfiltrated — and GitHub itself was named in a breach claim this week.

The campaign escalated every day of the window (full trajectory in § 2). The defender-relevant constant is the propagation primitive: OIDC-token reuse across the registry trust boundary, plus IDE-hook and CI-workflow injection that runs at build time inside an already-trusted runner. Unit 42 and StepSecurity confirmed on 2026-05-21 that SLSA Build Level 3 provenance attestation is no longer a reliable integrity gate for these waves — the malicious build step executes inside the legitimately-attested pipeline, so the attestation signs the compromised artefact. Hunt for unexpected npm publish / npm stage events, outbound connections from CI runners to non-registry hosts, and IDE-hook entries (.vscode/tasks.json, .claude/settings.json) committed in dependency updates. Rotate any CI token that was live during a dependency bump in the window; do not trust provenance attestation alone to clear a package.

This is the week's defining chain. After the worm framework was open-sourced on 2026-05-12, the window saw it move from a single operator's tool to commodity capability, escalating almost daily:

• 2026-05-18 → 19 — First copycat wave: TeamPCP imitators deploy Phantom Bot plus SSH/cloud stealers, the Checkmarx Jenkins plugin is re-trojanised, and a rival "PCPJack" worm appears, per Ox Security (daily 2026-05-19). Same window: the Nx Console VS Code extension (2.2M installs) is pushed malicious for an 11-minute window (12:36–12:47 UTC, 2026-05-18) via stolen publisher credentials, and all 53 tags of actions-cool/issues-helper are moved to an imposter commit reading /proc/PID/mem of the Runner.Worker (daily 2026-05-20).
• 2026-05-21 — Escalation to platform scale: GitHub itself is named in a breach claim, Microsoft's official durabletask PyPI package is weaponised (propagating via AWS SSM and kubectl exec), and Grafana confirms a missed-token-rotation root cause (The Hacker News; daily 2026-05-21).
• 2026-05-22 — Unit 42 and StepSecurity publish concurrent analyses establishing that SLSA Build Level 3 provenance attestation is invalidated as an integrity gate for these waves — the malicious build step runs inside the legitimately-attested pipeline (Unit 42; daily 2026-05-22).
• 2026-05-23 (disclosure; event 2026-05-18) — SafeDep and OX Security disclose the Megalodon sub-campaign, which mass-poisoned 5,561 GitHub repositories in a ~6-hour window on 18 May using forged CI-bot identities and templated commit messages, harvesting cloud credentials and OIDC tokens (SafeDep; daily 2026-05-23). A further Packagist/Laravel-Lang compromise is reported the same day (daily 2026-05-24).

Two in-window synthesis documents consolidate the picture. The Cloud Security Alliance research note (2026-05-22) frames the whole event as a two-wave attack: Wave 1 (Mini Shai-Hulud, 29 Apr – 12 May) hijacked TanStack's GitHub Actions runner via a pull_request_target trigger plus Actions cache poisoning, extracted a live OIDC token from runner process memory via /proc/PID/mem, obtained a Sigstore signing certificate from Fulcio, and produced SLSA BL3 provenance attestations for 404 malicious package versions across 172 packages (CVE-2026-45321, CVSS 9.6) — the first publicly-documented hijack of trusted build pipelines to generate attestation-bearing malicious artefacts. Wave 2 (Megalodon, from 18 May) pushed 5,718 commits to 5,561 repos in under six hours, harvesting AWS IAM, GCP/Azure IMDS, SSH, Docker auth, .npmrc, .netrc, Kubernetes configs, Vault tokens and Terraform state. Separately, GitHub's official post-incident blog (2026-05-20) confirmed an employee device was compromised via the poisoned Nx Console extension (GHSA-c9j4-9m59-847w) and ~3,800 GitHub-internal repositories were exfiltrated, with no customer-data impact found as of publication and a fuller report still outstanding.

Defender takeaways: set permissions: id-token: none on workflows that do not need OIDC; disable or isolate pull_request_target for fork PRs (permissions: contents: read); treat Git commit author/committer fields as unverified free text (use contributor allow-lists / push-rule bypass-actor audit events to catch Megalodon-style forged identities); audit Sigstore Rekor for unexpected signing events from your own pipeline identity; and do not accept SLSA BL3 attestation alone as a clean-package signal.

The TeamPCP / Mini Shai-Hulud story spans every working day of 2026-W20 and the daily briefs add a piece each day. Tuesday 2026-05-12: an attacker briefly published what appears to be the complete Shai-Hulud framework source (TypeScript / Bun) to a public GitHub repository attributed to TeamPCP, taken down within hours but mirrored widely; the public source disclosure inverts the threat model — every IDE, EDR, and PR-review vendor now has access to the same artefact the operator was using but defenders must assume new variants will appear with one to two days' lead-time on signatures (Datadog Security Labs static analysis, 2026-05-13; daily 2026-05-15 UPDATE). Wednesday 2026-05-13: Wave 4 hits — 170+ packages / 400+ malicious versions compromised per daily-brief tracking across @tanstack (including react-router, ~12M weekly downloads), @uipath, @mistralai, @opensearch-project, and @guardrails-ai; the Wiz writeup confirms the same TeamPCP / UNC6780 / PCPJack attribution as prior waves (Wiz Blog, 2026-05-11; daily 2026-05-13 UPDATE). Friday 2026-05-15: OpenAI named as a victim; the company enforces code-signing certificate rotation across all macOS apps as remediation (daily 2026-05-15 UPDATE).

What W1 horizon research surfaced that the dailies could not yet see: Datadog's static analysis of the leaked source reveals two new capability classes that change the defender posture. First, IDE persistence via hook entries in .claude/settings.json (Claude Code) and .vscode/tasks.json — allowing arbitrary command execution on developer-workspace events; this is not a build-time supply-chain primitive but a developer-workstation persistence mechanism that survives npm install cleanup and outlives the malicious-package removal. Second, OIDC token extraction directly from /proc/<pid>/mem on GitHub Actions runners, used to forge Sigstore provenance attestations — meaning malicious packages can be published that are indistinguishable from legitimate ones by provenance verification alone. The W19 weekly already flagged ShinyHunters / WorldLeaks as a long-running operator-family pattern; the TeamPCP / Mini Shai-Hulud progression confirms a parallel ecosystem maturing on the npm registry side, now with publication-provenance forgery in the toolset. The leaked framework source materially elevates the risk of secondary operators applying Shai-Hulud-style techniques against other package registries (PyPI, Cargo, Maven Central) in 2026-W21 (Datadog Security Labs).

The defender pivot is two-fold: (1) for DevOps pipelines, provenance verification is necessary but no longer sufficient — supplement with publisher-pinning, two-factor publish enforcement, and post-install hash-pinning; (2) for developer workstations, treat .claude/settings.json / .vscode/tasks.json / equivalent IDE hook files as security-relevant configuration and add them to file-integrity-monitoring scope. The Datadog filesystem indicators (gh-token-monitor daemon process, claude@users.noreply.github.com commits in unexpected repositories, exfil-repo names matching "Shai-Hulud: Here We Go Again") are the right hunt seeds.

Full coverage in § 2 (multi-day chain). Status-update register: long-running operator-family pattern continues; wave 4 (170+ packages / 400+ versions per daily-brief tracking) is the largest documented npm-supply-chain wave to date; the leaked framework source materially changes both attacker and defender posture and elevates the risk of secondary operators applying the same techniques against PyPI / Cargo / Maven Central in 2026-W21. The ShinyHunters / WorldLeaks family logged in W19's long-running record (item:shinyhunters-worldleaks-family) overlaps in operator targeting (AI-tooling SaaS, multi-tenant credential aggregation) with TeamPCP's npm-side ecosystem — the two clusters appear to be operating in parallel across the SaaS and registry attack surfaces with no public attribution merging them.

UPDATE (originally covered 2026-05-13): OpenAI disclosed on approximately 2026-05-13 that two employee devices were compromised through the TanStack npm supply-chain attack (Mini Shai-Hulud / TeamPCP, first covered in this brief series on 2026-05-12 and 2026-05-13) and that the compromise affected OpenAI's macOS code-signing certificates (TechCrunch, 2026-05-14 · The Record, 2026-05-14).

The attackers exfiltrated "limited credential material" from internal source code repositories accessible to the two affected employees; OpenAI states no customer data, production systems, or core intellectual property were accessed. Critically, the certificate used to sign OpenAI's macOS desktop applications (ChatGPT for macOS and related apps) was among the compromised material, triggering an emergency certificate rotation. OpenAI is requiring all macOS app users to update to the latest version before June 12, 2026, after which older builds will lose functionality and macOS Gatekeeper notarization will block apps signed with the compromised certificate. Enterprise MDM administrators with OpenAI macOS apps in their managed fleet should push a forced update immediately. Threat attribution is unofficially assessed as TeamPCP (the same actor behind the broader TanStack worm), consistent with prior reporting on the actor's OIDC token theft and credential exfiltration goals.

UPDATE (2026-05-13 — follows TeamPCP coverage 2026-05-13): Datadog Security Labs published an analysis of the TeamPCP "Shai-Hulud" offensive worm source code on 2026-05-13, after the complete framework was briefly accessible as a public GitHub repository on 2026-05-12 before the account was removed (Datadog Security Labs, 2026-05-13). The brief public exposure gave researchers direct visibility into the worm's internal architecture: it is a TypeScript/Bun toolkit that automates GitHub Actions pwn-request exploitation — specifically targeting pull_request_target workflows that perform unsanitized checkouts — to harvest OIDC tokens and GITHUB_TOKEN values, then propagate across npm packages using the stolen credentials. The automation is fully self-contained; victim-repository selection is not manually guided, consistent with the worm-class spread observed in the original TanStack campaign. The leaked code also exposes the environment-variable injection technique (${{ github.event.pull_request.head.sha }} substitution in run steps) as a key primitive. Defenders should not execute the leaked code. The architectural disclosure accelerates defensive posture: prioritise auditing pull_request_target triggers with checkout steps in the same job, review OIDC token permission scopes, and apply environment variable sanitization. MITRE ATT&CK: T1195.002 (Compromise Software Supply Chain), T1552.001 (Credentials in Files), T1059.004 (Unix Shell).

UPDATE (originally covered 2026-05-10): Between 19:20 and 19:26 UTC on 2026-05-11, TeamPCP's Mini Shai-Hulud self-propagating worm executed its largest campaign to date, compromising 160+ malicious versions across @tanstack/* (42 packages including @tanstack/react-router at ~12M weekly downloads), @uipath/* (60+ packages), @mistralai/*, @opensearch-project/opensearch, @squawk/*, @draftlab/* and @tallyui/*, plus two PyPI packages (StepSecurity analysis, 2026-05-11; TanStack post-mortem, 2026-05-12; Wiz, 2026-05-12; NCSC-CH Security Hub #12558, 2026-05-12).

The novel attack chain (decomposed in § 5) is materially different from the 2026-05-10 SAP-CAP campaign: the operator (voicproducoes, GitHub account ID 269549300) submitted a poisoned PR to a target repository that triggered a pull_request_target workflow, used that privileged workflow to seed a malicious pnpm store into the GitHub Actions cache, then waited for legitimate maintainer merges to main — the release workflow restored the poisoned cache, attacker-controlled binaries extracted GitHub Actions OIDC tokens from /proc/<pid>/mem, and the worm used npm's token-exchange endpoint to publish trojanised package versions with valid SLSA Build Level 3 provenance attestations. The provenance bypass is the most significant evolution — SLSA L3 was the supply-chain assurance many EU public-sector procurement frameworks were starting to rely on, and this campaign demonstrates it is forgeable without abusing the package's own publish step.

Operational delta for defenders: SAP Note #3747787 (HotNews) acknowledges CAP-package impact and ships a clean version list. UiPath impact is the highest-priority public-sector signal — UiPath RPA is widely deployed in Swiss federal e-government automation and EU agency back-offices; review package-lock.json / pnpm-lock.yaml in every UiPath-using pipeline against the StepSecurity / Wiz package-version manifest. Before revoking any GitHub PAT or npm token, sanitise the developer machine first — token revocation triggers the worm's gh-token-monitor dead-man's switch that executes rm -rf ~/ on the affected workstation. Mapped to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain, T1552.001 Unsecured Credentials: Credentials in Files, T1078.004 Cloud Accounts.

UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the actor's signature naming "Checkmarx-Fully-Hacked-by-TeamPCP") to the Jenkins Marketplace. Any Jenkins instance configured to auto-update the AST plugin during that window pulled the malicious build and executed the SANDCLOCK credential stealer in the runner context (Checkmarx — Ongoing Security Updates, last updated 2026-05-09; The Hacker News, 2026-05-11; SecurityWeek, 2026-05-11).

SANDCLOCK targets every secret reachable from a typical CI/CD pipeline environment: GitHub Personal Access Tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, Docker / OCI registry credentials, SSH keys, and Checkmarx One API tokens. Affected pipelines should be treated as full secrets-compromise events: every credential the runner could read must be rotated and any artefact built or deployed in the window audited. Checkmarx's ongoing-security-updates page specifies plugin version 2.0.13-829.vc72453fa_1c16 (published December 2025) as the safe pinned version; a CVE has been issued as CVE-2026-33634 per the Checkmarx advisory. This is the third Checkmarx-product supply-chain compromise by this actor in three months, after the March 2026 KICS Docker image and the April 2026 VS Code extension defacement — the cadence and the actor's naming convention indicate persistent targeting of the Checkmarx product line specifically, not opportunistic distribution-channel abuse.

Mapped to T1195.002 Compromise Software Supply Chain and T1552.001 Credentials In Files. The GTIG AI Threat Tracker (see § 5) attributes SANDCLOCK specifically to TeamPCP and flags the stealer as explicitly designed to harvest LLM API keys in addition to traditional cloud credentials — consistent with the actor's pivot to monetising stolen LLM access. Defender pivot: inventory every Jenkins plugin auto-update enabled across CI/CD estates; constrain runners to short-lived OIDC-federated credentials (no long-lived PATs in runner env) where the platform supports it; audit Checkmarx One API logs for unexpected source IPs since 2026-05-09.

Current state: SentinelLabs documented PCPJack on 2026-05-07 as a worm-class framework that evicts and deletes existing TeamPCP artefacts on compromise (giving the framework its name), then deploys six Python modules harvesting credentials from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). Propagation targets are pulled from Common Crawl Parquet files rather than ad-hoc scanning — far broader curated attack surface than typical opportunistic worms. Weaponises five public CVEs simultaneously (CVE-2025-29927 Next.js, CVE-2025-55182 React2Shell, CVE-2026-1357 WPVivid, CVE-2025-9501 W3 Total Cache, CVE-2025-48703 CWP). The TeamPCP → PCPJack succession overlay is the operational specific worth tracking: SentinelLabs explicitly states there is no evidence yet of a direct operator-level connection, while the eviction logic implies operators familiar with TeamPCP's target population. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08 · daily 2026-05-10). The earlier TeamPCP "Mini Shai-Hulud" SAP CAP npm worm (covered 2026-05-06) used Claude Code SessionStart hooks and VSCode tasks for propagation — that thread is separate from PCPJack's CVE-chain propagation but the same operator population is tracked.

SentinelLabs documented PCPJack on 2026-05-07, a worm-class framework that propagates across exposed cloud and web infrastructure by chaining five public CVEs simultaneously: CVE-2025-29927 (Next.js middleware authorisation bypass via crafted header), CVE-2025-55182 ("React2Shell" — Server Actions deserialisation in React/Next.js), CVE-2026-1357 (unauthenticated file upload in WPVivid Backup), CVE-2025-9501 (PHP injection in W3 Total Cache via the mfunc comment processor) and CVE-2025-48703 (shell injection in the CentOS Web Panel FileManager) (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08). The bootstrap shell script first evicts and deletes existing TeamPCP artefacts from the host (giving the framework its name), then deploys six Python modules covering credential extraction from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). A second-stage tooling drops Sliver C2 beacons.

Exfiltration uses Telegram channels with ChaCha20-Poly1305 encryption; propagation target lists are pulled from Common Crawl Parquet files rather than scanned ad-hoc, which gives the campaign a far broader and more curated attack surface than typical opportunistic scanning. Unlike TeamPCP and TeamTNT which monetise via cryptominers, PCPJack drops no miner — SentinelLabs assesses monetisation as credential fraud, spam, access resale, or extortion (SentinelLabs, 2026-05-07). SentinelLabs notes TTP overlap with TeamPCP and frames PCPJack as a possible former affiliate or breakaway operation. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised.