The Shai Hulud supply chain worm, attributed to TeamPCP, compromises CI/CD pipelines by injecting malicious npm/PyPI packages that harvest build credentials and pivot into production AWS cloud infrastructure. In a confirmed breach, attackers stole Jenkins EC2 instance role credentials via the Instance Metadata Service (IMDS), used them from external IPs, escalated privileges by creating an IAM user with AdministratorAccess, modified Redshift and Aurora security groups to open network paths, enumerated Secrets Manager for warehouse credentials, and exfiltrated data via the Redshift Data API. The attack demonstrates that pipeline identity equals production identity, with explicit attacker naming conventions (exfil-s3-* policies, exfil STS session names) providing high-fidelity detection opportunities.
The Shai-Hulud software supply chain campaign has significantly evolved, expanding from npm to PyPI and shifting from maintainer compromise to CI/CD abuse. Recent waves demonstrate advanced techniques including OIDC token scraping to bypass SLSA provenance, IDE configuration file weaponization, and prompt injection designed to evade LLM-based security scanners.
This report details primary attack vectors against containerized environments, focusing on container escapes, orchestration API abuse, and supply chain compromises. Threat actors exploit misconfigurations such as excessive Linux capabilities and exposed Docker sockets to break out of containers, while also targeting CI/CD pipelines and public image repositories to establish initial footholds.
Software Supply Chain and AI Exploitation Dominate Threat Landscape
The software supply chain has become the primary battlefield for attackers because compromising a single developer tool can cascade into thousands of enterprise networks. Campaigns like Mini Shai-Hulud and TrapDoor are stealing credentials and injecting backdoors across major code registries, while the Laravel Lang Compromise and the Coruna Exploit Kit show how malicious code can automatically execute to steal secrets or exploit end users. As a result, organizations must treat developer environments as high-value targets, because a single compromised package or malicious VS Code extension can lead to catastrophic breaches like the GitHub internal repository theft by TeamPCP.
In parallel, artificial intelligence is simultaneously accelerating attacks and creating dangerous new attack surfaces. Threat actors are using AI to automate influence campaigns like Patriot Bait and crack passwords, while also impersonating AI tools like Gemini CLI and Claude Code to deliver infostealers. Furthermore, attackers are directly targeting exposed AI infrastructure, such as Ollama AI endpoints, and manipulating AI coding assistants via hidden prompt injections in campaigns like TrapDoor, which means AI systems are both the weapon and the target.
These trends together suggest that traditional perimeter defenses are failing against supply chain and AI-driven threats. Managers should immediately enforce strict vetting of open-source packages, restrict developer access to unverified extensions, and ensure AI infrastructure is not exposed to the public internet.
In response to the ongoing Mini Shai-Hulud supply chain campaign, npm has invalidated all granular access tokens that bypass two-factor authentication. The threat actors have been harvesting credentials from CI/CD environments to automate the publishing of malicious package versions, successfully bypassing existing controls like OIDC Trusted Publishing. To provide a more robust defense, npm has introduced an opt-in Staged Publishing feature that requires interactive MFA approval for automated releases.
GitHub experienced an internal security incident where threat actor TeamPCP (UNC6780) compromised an employee's device using a malicious Visual Studio Code extension. The attacker harvested local developer secrets to clone approximately 3,800 internal repositories, which were subsequently listed for sale on a cybercrime forum.
A malicious Visual Studio Code extension installed on a GitHub employee's endpoint provided the threat actor TeamPCP with access to exfiltrate approximately 3,800 internal repositories. The incident underscores the critical risk of IDE extensions serving as initial access vectors for supply-chain attacks, allowing threat actors to leverage developer privileges for large-scale data exfiltration.
Developer Supply Chains Under Siege as Edge Device Exploits Surge
The dominant narrative this week is the coordinated weaponization of the software supply chain, as threat actors like TeamPCP and Mini Shai-Hulud aggressively target developer tools to steal cloud credentials. Because these attackers compromise trusted build systems like GitHub Actions, a single malicious package—such as the compromised TanStack libraries—can cascade into massive downstream breaches, allowing criminals to hold development environments hostage and even deploy destructive dead-man switches if their access is cut off.
In parallel, attackers are bypassing traditional network defenses by exploiting internet-facing edge devices and logging in with stolen credentials. Threat clusters are actively exploiting critical flaws in Cisco Catalyst SD-WAN and Microsoft Exchange, while ransomware groups like The Gentlemen and state-sponsored actors like Secret Blizzard use these footholds to live off the land, hijacking legitimate IT tools to stay hidden for months.
These trends together suggest that perimeter-focused defenses and basic patching are no longer sufficient. Organizations must immediately isolate their CI/CD pipelines from cloud credentials, enforce phishing-resistant multi-factor authentication on all internet-facing systems, and assume that trusted vendor tools may already be compromised.
The TeamPCP threat actor deployed the Mini Shai-Hulud worm in a sophisticated supply chain attack targeting the npm ecosystem via a GitHub Actions CI cache-poisoning technique. The malware steals credentials, establishes persistence via developer tools like VS Code and Claude Code, and features a destructive dead man switch that wipes the victim's home directory if access tokens are revoked.
TeamPCP has partnered with BreachForums to launch a supply chain attack contest, incentivizing threat actors to compromise open-source packages using the open-sourced Shai-Hulud worm. The campaign targets CI/CD pipelines and developer environments to harvest credentials, posing a significant risk of downstream enterprise compromises.
SentinelLABS discovered PCPJack, a cloud-focused worm designed to harvest credentials at scale while actively evicting artifacts of a rival threat actor, TeamPCP. The framework targets exposed cloud services like Docker, Kubernetes, and Redis for propagation and lateral movement, notably omitting cryptomining payloads in favor of credential theft and Sliver C2 deployment.
TeamPCP (SHADOW-WATER-058) executed a sophisticated supply chain campaign compromising developer toolchains across multiple ecosystems, including Docker Hub, PyPI, and GitHub Actions. The attacks leveraged CI/CD trust, such as unsanitized PR comments and stolen publisher tokens, to distribute credential-harvesting payloads via Python .pth files and the Bun runtime, targeting over 80 credential types and abusing live AWS APIs.
A sophisticated supply-chain worm dubbed 'Mini Shai-Hulud' has compromised numerous high-profile npm and PyPI packages, including TanStack and Mistral AI. The heavily obfuscated payload targets CI/CD environments to systematically harvest credentials from GitHub, AWS, Vault, and Kubernetes. It autonomously propagates by minting npm publish tokens and committing malicious code to repositories, while exfiltrating stolen secrets via the Session P2P network.
The official intercom-client npm package (version 7.0.4) was compromised in a supply chain attack attributed to the Mini Shai-Hulud campaign and linked to the TeamPCP threat actor. The malicious package executes during installation via a preinstall hook to harvest cloud, Kubernetes, and Vault credentials from developer and CI/CD environments, exfiltrating them via the GitHub API.
A suspected TeamPCP-linked supply chain attack compromised multiple SAP CAP and Cloud MTA npm packages by injecting malicious preinstall scripts. The attack leverages a downloaded Bun runtime to execute an obfuscated payload that harvests extensive credentials from developer machines and CI/CD pipelines, exfiltrating data via attacker-controlled GitHub repositories and establishing persistence through VSCode and Claude AI configurations.
VECT 2.0 is a cross-platform (Windows, Linux, ESXi) Ransomware-as-a-Service that effectively functions as a wiper due to a critical cryptographic implementation flaw. Files larger than 128 KB are encrypted in chunks using raw ChaCha20-IETF, but the malware fails to save the required nonces for the first three chunks, rendering full data recovery impossible even if the ransom is paid.
A sophisticated supply chain attack compromised official Checkmarx KICS Docker images and VS Code extensions, injecting malware designed to harvest and exfiltrate cloud, developer, and CI/CD credentials. The threat actor, believed to be TeamPCP, utilized the Bun runtime to execute the payload, subsequently abusing stolen GitHub and NPM tokens to propagate the infection through malicious GitHub Actions workflows and poisoned NPM packages.
A supply chain attack targeting npm packages associated with Namastex.ai has been discovered, utilizing CanisterWorm-style malware. The malicious packages execute upon installation to harvest developer credentials, cloud secrets, and cryptocurrency wallets, exfiltrating data to an ICP canister and webhooks while attempting to self-propagate across the npm and PyPI ecosystems.
Threat actor TeamPCP leveraged stolen credentials to compromise trusted software repositories, including LiteLLM and Checkmarx, injecting credential-harvesting malware into the supply chain. This campaign highlights the severe business risks of identity compromise, as stolen access tokens enable downstream attacks such as ransomware, payroll redirection, and logistics fraud without triggering traditional perimeter alerts.
In March 2026, severe software supply chain attacks targeted popular open-source packages. A North Korean threat actor compromised the Axios NPM package to distribute a cross-platform RAT, while the TeamPCP group poisoned the LiteLLM PyPI package to harvest cloud and infrastructure secrets.
Suspected DPRK state actors compromised the highly popular Axios npm package by taking over a maintainer's account and publishing malicious versions that deployed a cross-platform RAT via a phantom dependency. Concurrently, a threat group named TeamPCP conducted a cascading supply chain attack affecting Trivy, LiteLLM, and Telnyx to harvest CI/CD credentials. These incidents underscore the critical need for automated package monitoring, rapid credential rotation, and delayed dependency updates.
The official Telnyx Python SDK on PyPI was compromised by the threat actor TeamPCP, who published malicious versions (4.87.1 and 4.87.2) containing credential-harvesting malware. The malware executes upon module import, utilizing audio steganography to deliver OS-specific payloads: a fileless in-memory harvester for Linux/macOS and a persistent binary for Windows, with exfiltrated data secured via hybrid encryption.
Threat actor TeamPCP orchestrated a cascading supply chain attack by exploiting a misconfigured GitHub Actions workflow in Aqua Security's Trivy, harvesting credentials to compromise subsequent repositories including Checkmarx, LiteLLM, and Telnyx. The malicious packages deploy sophisticated, OS-specific remote access trojans (RATs) that utilize steganography, process hollowing, and ETW patching to evade detection while exfiltrating sensitive data.
The TeamPCP threat actor compromised the Telnyx Python SDK on PyPI, injecting malicious code that executes upon import. The attack utilizes split-file injection and WAV audio steganography to deliver credential-stealing malware, establishing persistence on Windows systems and exfiltrating data via plaintext HTTP.
Threat actor TeamPCP has formed an alliance with the Vect Ransomware-as-a-Service (RaaS) group to weaponize recent open-source supply chain compromises. By leveraging approximately 300 GB of stolen credentials and tokens harvested from CI/CD pipelines and security tools like Trivy and LiteLLM, the groups intend to facilitate large-scale ransomware deployments across affected enterprise environments.
A sophisticated supply chain attack by the threat actor TeamPCP compromised the popular AI proxy package LiteLLM via a previously hijacked Trivy GitHub Action. The malicious package deployed a multi-stage payload utilizing a Python .pth file to harvest extensive cloud, Kubernetes, and AI credentials, encrypt them, and exfiltrate them to attacker-controlled infrastructure while establishing a persistent remote code execution backdoor.
The threat actor TeamPCP is conducting a highly coordinated supply chain campaign targeting widely used open-source security tools and developer infrastructure, including Trivy, Checkmarx' KICS, and LiteLLM. By compromising CI/CD pipelines and GitHub Actions, the attackers are successfully turning trusted security scanners into infostealers to harvest and exfiltrate massive amounts of enterprise credentials.
A supply chain attack on Aqua Security's Trivy project resulted in compromised Docker images containing the TeamPCP infostealer being pushed to Docker Hub. The attackers leveraged unauthorized access to the Aqua Security GitHub organization to distribute malicious versions (0.69.4, 0.69.5, 0.69.6) that exfiltrate sensitive CI/CD data to a typosquatted C2 domain.
A sophisticated supply chain attack compromised the official Trivy GitHub Action (aquasecurity/trivy-action) by force-pushing 75 version tags to malicious commits. The injected infostealer harvests sensitive CI/CD secrets from runner memory and filesystems, exfiltrating them to a typosquat domain or a fallback GitHub repository.
The TeamPCP threat actor targets cloud-native and containerized environments to deploy cryptominers and ransomware. The attack chain involves initial access via web server exploitation, in-memory payload execution, Kubernetes API abuse for lateral movement, and node-level escape using privileged DaemonSets.
AI Weaponization and Developer Supply Chain Attacks Redefine the Perimeter
Attackers are aggressively targeting the software development process because compromising a single developer tool can unlock thousands of corporate networks. In parallel, artificial intelligence is collapsing the cost of attacks, allowing criminals to build convincing deepfakes and automated phishing campaigns in minutes. As a result, traditional security like multi-factor authentication is increasingly bypassed using tricks that steal active login sessions rather than passwords. These trends together suggest that relying on perimeter defenses and basic hygiene is no longer enough, as attackers hide inside trusted cloud services and legitimate software updates. This matters because organizations are losing visibility into where their sensitive data actually lives, especially as AI tools create hidden pathways into company systems. Defenders must shift their focus to monitoring user behavior after login and securing the automated systems that build their software. Watch for unusual activity in your developer tools and implement stricter checks on third-party software.
AI Weaponization Collapses Trust as Identity Becomes the Perimeter
Attackers are using artificial intelligence to make phishing and social engineering dramatically cheaper and more convincing, as seen in BlueNoroff's AI-generated deepfake meetings targeting Web3 executives and the Bluekit phishing platform's built-in AI assistant that crafts lures on demand. Because these AI tools can generate convincing scams and steal session cookies to bypass multi-factor authentication, traditional email filters and basic MFA are no longer sufficient barriers. In parallel, attackers are shifting from hacking infrastructure to hijacking identity and trust systems—installing legitimate remote-access tools via phishing, exploiting API authentication flaws like BOLA, and harvesting credentials through malicious AI browser extensions that spy on users in real time. This identity-focused shift compounds with the persistent exploitation of older vulnerabilities; groups like SHADOW-EARTH-053 still use years-old ProxyLogon flaws on unpatched Exchange servers, while CISA confirms CVE-2026-32202 (Microsoft Windows) and CVE-2026-41940 (cPanel) are already being exploited in the wild. Because AI models like Claude Mythos can now autonomously chain these vulnerabilities into working exploits at machine speed, defenders cannot rely on manual patching cadences to stay safe. These trends together suggest that the real perimeter is no longer the firewall but the identity layer, and defending it requires phishing-resistant authentication, automated response, and rigorous vetting of developer pipelines and third-party trust. Watch for AI-accelerated exploitation of unpatched systems and invest in identity-centric, machine-speed defenses before the next wave of automated attacks outpaces your team's response.