Shai-Hulud code drop: It’s open season

TeamPCP, the financially motivated cybercrime group behind the Shai-Hulud npm worm, has released the malware’s source code as open source, significantly lowering the barrier for large-scale copycat attacks against developer infrastructure, including software development environments.

On May 12, 2026, security researchers spotted repositories on GitHub containing the Shai-Hulud code. The repositories included operational guidance encouraging users to customize encryption keys and infrastructure components for their own campaigns, suggesting that the group intends the framework to serve as a reusable foundation for future supply chain attacks. An accompanying message read:

“Shai–Hulud: Open Sourcing The Carnage. Is it vibe coded? Yes. Does it work? Let results speak. Change keys and C2 as needed. Love – TeamPCP.”

The release of the Shai-Hulud code came just days after a barrage of attacks targeting the npm ecosystem began, on May 11. Those attacks, which dubbed the “Mini Shai-Hulud” campaign, have compromised more than 150 npm and PyPI packages tied to projects such as TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI.

Tomislav Peričin, ReversingLabs’ co-founder and chief software architect, said TeamPCP is targeting strategic open-source assets. 

“That’s not a niche library; it’s load-bearing infrastructure for huge swaths of the JavaScript ecosystem, consumed directly and transitively.”
—Tomislav Peričin

Researchers have described the attacks as abusing GitHub Actions workflows and using cache-poisoning techniques. By going through trusted publishing pipelines to inject malware into legitimate software releases, they make the malicious packages appear authentic. The malware is designed to steal GitHub tokens, cloud credentials, npm tokens, and other secrets while propagating itself into additional packages through compromised CI/CD infrastructure.

TeamPCP’s public release of the Shai-Hulud code marks a significant evolution in software supply chain threats by giving attackers a ready-made blueprint for building similar worms targeting open-source repositories and developer environments.

Here’s what you need to know about the open-sourcing of Shai-Hulud — and why it makes having a solid software supply chain security strategy more important than ever.

[ Learn about Spectra Assure Community | Join for free ]

Turning up the amps to 11

“This wasn’t a leak; this was a deliberate action by the group” said Ben Ronallo, principal cybersecurity engineer at Black Duck. “TeamPCP is turning the knob up to 11 on their activities by releasing this to anyone who wants to use it.” He said BreachForums’ announcement that it is sponsoring a supply chain compromise contest seems related to the public availability of the Shai-Hulud source code.

"These two events together will bring about a period of innovation for Shai-Hulud, likely spawning several variants of the malware.”
—Ben Ronallo

A static analysis of Shai-Hulud’s source code by Datadog Security Labs showed the malware to be a comprehensive offensive platform with distinct capabilities for persistent credential harvesting, supply chain poisoning, and data exfiltration, targeted at CI/CD pipelines and developer workstations.

Multiple offensive capabilities

For credential harvesting, Datadog found, Shai-Hulud is capable of scanning over 100 file paths across three operating system environments for SSH keys, cloud provider credentials, API keys, and database strings. The malware, Datadog said, is also capable of pulling AWS credentials from multiple places, including environment settings and cloud instance metadata. It can systematically dump all secrets stored in tools such as HashiCorp Vault and Kubernetes across an entire environment. Datadog said Shai-Hulud has a GitHub Action that goes a step further by reading live process memory to capture secrets before built-in protections such as masking kick in.

Shai-Hulud encrypts all collected data and the encryption key itself before exfiltrating it from the compromised host. Datadog discovered the primary destination to be a command-and-control domain disguised as a legitimate service. If that doesn’t work, Shai-Hulud pulls a backup destination from a signed GitHub commit that the attackers can update easily without changing the malware. If both of those fail, Shai-Hulud simply uploads the stolen data into newly created GitHub repositories with Dune-themed names so the attackers can retrieve them later, Datadog said.

The malware framework uses two mechanisms for persistence. One of them is a standard technique that keeps the malware running in the background. The other is more interesting technique, Datadog said: a so-called deadman switch, a background process that continuously checks whether a stolen GitHub token is still valid.

If the token is revoked, the daemon triggers an instruction to wipe the user’s system while also ensuring the malware persists via system startup services on macOS and Linux. “Whether [the deadman switch] is a deterrent against revocation or a genuine destructive capability, the code implements it faithfully. The daemon self-terminates after 24 hours regardless,” Datadog said.

Tailor-made for supply chain poisoning

Datadog researchers found Shai-Hulud’s supply chain poisoning capabilities to be similarly formidable. With a stolen GitHub token, Shai-Hulud immediately pushes malicious files across all branches of every repository the token can access. It disguises the commits as routine dependency updates to avoid detection, Datadog said.

With stolen npm tokens, the framework downloads the latest version of every package the token can publish to, injects a malicious script, and republishes the modified package thereby automatically propagating it to every downstream user.

“The open sourcing of a production offensive framework is not unprecedented, but it’s unusual for an active campaign. It lowers the barrier for other actors to adopt TeamPCP’s playbook, including the more sophisticated techniques like OIDC token abuse, provenance forgery, and AI tool persistence Hooks.”
—Datadog researchers

The plus for defenders

Defenders can benefit from the Shai-Hulud source code because it provides complete visibility into how the malware works, as well as into its targets and exfiltration methods. “The 100+ file paths in the file system provider are a checklist of what the attacker considers high value,” Datadog wrote. The code similarly sheds light on the malware’s obfuscation techniques and also how supply chain propagation works, the vendor added.

For defenders, TeamPCP’s aim is clear, said BlackDuck’s Ronallo. “This is an attempt to overwhelm organizations who are not prepared.” Shai-Hulud’s compiled packages appear to be obfuscated in a manner designed to render file hashing techniques ineffective, he said, so security teams will need to rely on heuristic detections such as unusual egress traffic and anomalous credential file access, which are often less accurate. 

“Organizations should start preparing for a sustained and significant spike in supply chain compromise activity resulting from both the open sourcing and the BreachForums contest.”
—Ben Ronallo

Jason Soroko, senior fellow at Sectigo, theorized that Shai-Hulud’s operators might have released the source code to make attribution harder and also to distribute the malware more widely. By providing the code alongside deployment instructions, the developers establish plausible deniability, Soroko said: subsequent attacks cannot be definitively linked to their group.

“Actions like this in the past have triggered a proliferation of variants as independent actors modify the base code for their own objectives. For defenders, this fragmentation multiplies the threat surface. Security teams must shift from tracking a single adversary to defending against a decentralized network of copycats, making threat intelligence and incident response much more difficult.”
—Jason Soroko

Key takeaways for AppSec teams

Traditional vulnerability and secrets scanning is no longer enough, Peričin wrote when Shai-Hulud was first discovered by RL’s research team. And that is more true this week with the public release of Shai-Hulud. 

“A vulnerability might get exploited and give you a headache. With malware, there is no doubt. If it was deployed anywhere in your environment, you were affected. Of course, malware is not a vulnerability, but it may rely on the exploitation of a software vulnerability or other weaknesses in your defenses. And Shai-Hulud used it to walk out the front door with all of your secrets — secrets that it will happily abuse to start another series of attacks.”
—Tomislav Peričin

The software supply chain is complex, Peričin noted. It requires augmentation of traditional security checks with more nuanced, behavioral-based detection that can spot malicious code and other anomalies. 

Complexity is the enemy of resilience

At the end of the day, cyber resilience won’t come from piling on complexity. That’s because attackers exploit complexity for their own means. In response, defenders must simplify their processes with a focus on supply chain integrity. In the process, they should adopt tools to detect malicious behaviors and dependencies, regardless of needed efforts to minimize maintainer account takeovers. These software supply chain security measures won’t end attacks for good, but they will raise the bar and block many noisy, disruptive campaigns — for the benefit of everyone.

Learn how RL’s free Spectra Assure Community can help secure the open source in your next build.