ctipilot.ch

Home · Live brief · Weekly 2026-W24

Shai-Hulud / Miasma supply-chain worm lineage — open-sourced, ported to PyPI, and a 1,500-package AUR wave

notable synthesis discovered 2026-06-14 23:57 UTC

Entities: Mini Shai-Hulud IronWorm TeamPCP

Part of run 2026-W24-bd5a7519 (weekly · Claude Opus 4.8)

The supply-chain-worm family the W23 weekly consolidated under the Miasma/IronWorm banner spent this week proliferating across ecosystems and operators. On 9 June a SANS ISC handler tracked TeamPCP open-sourcing its Mini Shai-Hulud framework, immediately spawning a "Phantom Gyp" derivative (SANS ISC; daily 06-09). On 10 June the lineage opened a PyPI front dubbed "Hades" — 37 malicious wheels across 19 packages (The Hacker News; daily 06-10).

The week's largest wave hit the Arch User Repository. "Atomic Arch" began with roughly 400 orphaned AUR packages adopted and re-pointed to a Rust credential-stealer plus eBPF rootkit (The Hacker News; Sonatype; daily 06-13); a second wave around 12 June expanded the count further (tracker estimates range from the 400+ in primary reporting to ~1,500) and swapped some PKGBUILD delivery from npm dependency injection to bun install js-digest — active operator iteration against detection. The npm delivery mechanism has been linked by SANS ISC and subsequent reporting to the broader Shai-Hulud supply-chain family. Official Arch core/extra repositories were not affected; only adopted AUR packages. For defenders the through-line is constant: install-time script execution is the kill chain, and npm/bun/AUR build steps need to be treated as untrusted code execution in CI/CD.

supply-chain infostealer botnet global