On May 15, 2026, the global software supply chain faced a massive escalation as the notorious threat group TeamPCP deliberately leaked the full source code and deployment manual for their self-propagating malware, Shai-Hulud.
Named after the giant, devouring sandworms of Dune, the worm is specifically engineered to aggressively scour developer environments and CI/CD pipelines for high-value access tokens.
By publishing the codebase under the mocking title “A Gift From TeamPCP,” the group has effectively democratized an enterprise-grade cyber weapon. Threat intelligence feeds from SlowMist’s MistEye system confirm that copycat threat actors are already forking the repository, modifying its payloads, and actively expanding its target surface to alternative operating systems like FreeBSD.
The Technical Attack Flow: From Ingestion to Propagation
According to technical analysis by SlowMist, Shai-Hulud relies on a highly optimized, multi-layered execution engine designed to spread automatically across registries while simultaneously looting local machine configurations.
Plaintext
Malicious npm Package Installed ➔ Scans Environment for Cloud/CI Credentials ➔ Hijacks Local AI Agents (Claude Code) ➔ Auto-Publishes Tainted Clones to npm Registry
The worm’s life cycle operates through four highly integrated phases:
1. Structural Credential Looting
The malware launches its core execution logic immediately upon dependency installation using heavily obfuscated preinstall scripts (such as setup.mjs). It runs an internal regular expression engine optimized to locate and harvest three key credential pillars:
- GitHub Infrastructure: It pulls active tokens straight from the GitHub CLI (
gh auth token) and exfiltrates GitHub App JSON Web Tokens (JWTs). - Cloud Identity Surface: It targets local configuration environments to scrape raw AWS Identity tokens (
AWS_WEB_IDENTITY_TOKEN_FILE) and pulls internal Kubernetes service account tokens located at/var/run/secrets/kubernetes.io/serviceaccount/token.
2. Target Evacuation & Exfiltration
Rather than storing files locally where an Endpoint Detection and Response (EDR) agent might flag them, Shai-Hulud encrypts the gathered secrets using an AES-256-GCM cipher envelope. The payload is then immediately dispatched via an HTTP POST request to a hardcoded command-and-control (C2) endpoint disguised as a legitimate open-source utility:
Plaintext
https://git-tanstack.com/router
3. Self-Replication and Supply Chain Injection
The true danger of Shai-Hulud is its ability to use the host machine as a springboard. The moment it captures a valid npm publishing token from a developer’s environment, it autonomously hijacks their access rights, updates target registry files, hooks malicious code directly into the developer’s legitimate repositories, and publishes new, tainted versions of their packages to the public npm registry.
4. Subverting AI Coding Assistants
In a highly novel shift tailored for modern development workflows, the authors optimized Shai-Hulud to target Claude Code environments.
The worm scans for and alters local configuration directories, specifically modifying ~/.claude.json, ~/.claude/mcp.json, and .kiro/settings/mcp.json. It injects malicious Model Context Protocol (MCP) server hooks to ensure the malware re-executes whenever the developer interacts with the AI.
Furthermore, it appends an “Anthropic Magic String” into local prompt logic—a specialized prompt injection technique designed to blind the AI agent and prevent it from analyzing or reporting the malicious modifications to the user.
Evasion Logic and Attribution
Deep code analysis reveals that Shai-Hulud includes a hardcoded locale verification loop. Before executing any credential-harvesting routines, the script checks the host system’s native language configurations.
If the environment is configured for a Russian-language locale, the payload terminates immediately without performing malicious actions. Threat intelligence analysts note that this deliberate exclusion pattern strongly aligns with the tactics, techniques, and procedures (TTPs) of threat actors operating out of Russian-speaking regions to avoid local law enforcement scrutiny.
Mitigation Playbook for DevOps Teams
Because Shai-Hulud mimics legitimate developer activity and white-labels itself inside common formatting workflows, security teams must enforce strict, out-of-band pipeline controls:
- Audit AI Configurations: Manually inspect developer workstations for unauthorized modifications to
~/.claude.jsonor unknown MCP server integrations. - Enforce Strict Network Egress: Configure firewalls and internal DNS proxies to block all traffic attempting to reach
git-tanstack.comor associated unverified external routers. - Rotate Compromised Secrets: If a systemd or background process anomalies are detected, immediately revoke all active AWS tokens, Kubernetes service accounts, and npm/GitHub Personal Access Tokens associated with that machine.
Critical Indicators of Compromise (IoCs)
| Type | Indicator / Path | Contextual Description |
| C2 Domain | git-tanstack.com | Malicious domain masquerading as the TanStack project |
| URL Endpoint | /router | Path used to collect encrypted credential payloads via POST |
| Target Path | ~/.claude.json | Local AI agent configuration file targeted for persistence |
| Target Path | ~/.claude/mcp.json | Model Context Protocol configuration backdoored by the worm |
