I've spent the past six weeks tracking one campaign across the npm software ecosystem: Shai-Hulud, a self-propagating worm stealing developer credentials wherever it touched. From late April through early June 2026, the campaign moved through hundreds of compromised packages, recognizable victims, and an unmistakable escalation pattern.
In Frank Herbert's Dune, "Shai-Hulud" is the name for the giant sandworms of Arrakis — creatures that move through the desert in massive, unstoppable patterns, consuming everything they cross. The attackers who named their worm chose the metaphor carefully. Between April 24 and June 2, 2026, their tool moved through the software ecosystem the same way: massive, unstoppable, consuming developer credentials wherever it touched.
Two weeks ago I wrote about a different cascade — the cPanel CVE-2026-41940 disclosure that compressed mass exploitation into 72 hours. Three actor tiers converging on a single vulnerability in predictable order. I argued that cyber attacks aren't chaos — they're patterns that compress in time.
Then a different campaign showed me the same pattern in a different domain.
This analysis documents what six weeks of Shai-Hulud taught me about how supply chain attacks evolve — and why the structure is more predictable than defenders want to admit. But before I get to the worm itself, there's a more honest framing to acknowledge: Shai-Hulud is not where this story starts. The attackers behind it — TeamPCP, tracked by Google's Threat Intelligence Group as UNC6780 — were already operating a multi-month supply chain campaign when the worm went public. The Shai-Hulud campaign I documented for six weeks is one phase of a longer operation that was visible to threat researchers since at least March 25, 2026.
What I watched unfold wasn't the start of an attack. It was the visible surface of a much deeper campaign.
For readers who don't live in the supply chain attack world, here's what Shai-Hulud actually does.
Modern software isn't built from scratch. Developers assemble it from thousands of smaller pieces of code called "packages" — pre-written solutions to common problems. Need to send data to a server? You don't write that code yourself. You install a package called axios that handles it. Need to manage navigation in your web app? You install tanstack-router. Need to display data in tables, handle dates, parse files, encrypt passwords? There's a package for each one.
The Node Package Manager (npm) is the central registry where JavaScript developers download these packages. As of 2026, npm hosts over 3 million packages. Popular ones like axios get downloaded approximately 50 million times per week. The entire modern web runs on this ecosystem.
When you install a package, you're trusting several things:
Shai-Hulud breaks that trust at every level.
The worm spreads through compromised npm packages. When a developer installs an infected package, the malware:
The cycle compounds. One developer's compromised laptop becomes the seed for hundreds of poisoned packages. Those packages get downloaded by other developers. Their credentials get stolen. The infection grows exponentially.
This is what makes Shai-Hulud different from most supply chain attacks. It's not a one-time poisoning — it's a self-propagating worm. The attackers don't have to compromise individual packages. They just have to start the chain reaction.
What happens to the stolen data is the second layer of the attack. Some credentials get used immediately to publish the next wave of poisoned packages. Others get monetized. TeamPCP has been documented selling stolen source code on cybercrime forums — Mistral AI's repositories were advertised for sale on May 14, 2026. By May 20, the group claimed to have stolen 4,000 internal GitHub repositories. The credential graph the worm builds doesn't just compromise packages. It compromises companies.
The name fits.
The concentration risk problem. When attackers compromise a package that's downloaded 50 million times a week, every organization using that package becomes a potential victim. The worm doesn't need to target you. You target it by installing the dependency. One point of failure. Thousands of downstream organizations exposed.
Supply chain attacks aren't new. They're 16 years old in their modern form. What changed in 2026 is the scale and speed, not the underlying pattern.
Public threat intelligence reporting on supply chain attacks goes back to 2010. Reading the documented incidents in order reveals a trajectory worth naming before discussing Shai-Hulud specifically.
| Year | Campaign | Actor | Scale |
|---|---|---|---|
| 2010 | Stuxnet | NSA / Unit 8200 | Targeted destruction of Iranian centrifuges |
| 2013 | Target Breach | Unknown (HVAC vendor compromise) | 40 million payment cards |
| 2015 | XcodeGhost | Likely China-affiliated | 4,000 malicious iOS apps |
| 2017 | NotPetya (via M.E.Doc update) | Sandworm / GRU Unit 74455 | $10 billion in damages |
| 2017 | CCleaner (Avast) | Floxif operators | 2.27 million downloads infected |
| 2020 | SolarWinds SUNBURST | APT29 / SVR | 18,000 organizations · 9-month dwell time |
| 2021 | Kaseya VSA | REvil ransomware | 1,500 downstream victims |
| 2023 | 3CX VoIP | Lazarus / DPRK | 600,000 organizations |
| 2023 | MOVEit | Cl0p ransomware | 2,500+ organizations |
| 2026 | Shai-Hulud / TeamPCP | UNC6780 (criminal enterprise) | 600+ packages · 6 weeks · ongoing |
Three trends are visible across this timeline:
Frequency increase. From rare, isolated incidents (one every 1-2 years through the mid-2010s) to constant background activity. My dataset shows 87 supply chain attacks in the first five months of 2026 alone.
Actor diversification. The 2010-era attacks required nation-state resources (Stuxnet took the combined efforts of NSA and Israeli Unit 8200 operating for years). The 2023-era attacks include sophisticated criminal enterprises (REvil, Cl0p) operating at nation-state-equivalent scale. The 2026 attacks include criminal actors like TeamPCP who openly distribute their tools for use by other criminals.
Speed acceleration. SolarWinds went undetected for nine months. Shai-Hulud propagated through 600 packages overnight in its May 19 wave. The defensive window has compressed from months to hours.
Two specific shifts explain why 2026 looks different from 2021.
The first is AI tooling maturity. The same large language models that help engineers debug code help attackers find vulnerabilities. The same code generation capabilities that let companies ship features quickly let threat actors weaponize techniques quickly. AI raised the floor of attacker capability more than it raised the ceiling. Top-tier nation-state actors gained marginal improvements. Mid-tier criminal groups gained massive capability gains. What took a team of 20 elite operators in 2018 might take 5 capable operators with AI assistance in 2026.
The second is ecosystem complexity. Modern software depends on more packages than ever. A typical enterprise application can have 50,000+ transitive dependencies. Each one is a potential attack surface. The trust model that worked when developers reviewed every dependency cannot scale to ecosystems where reviewing every dependency is impossible.
TeamPCP didn't invent supply chain attacks. They're operating in a well-documented tradition with techniques refined over a decade of predecessor work. What they bring is the willingness to operate at scale, openly distribute their tools, and treat the attack as a business rather than a one-time operation.
The earliest documented TeamPCP activity in my data is March 25, 2026 — the Trivy supply chain compromise. By the time the Shai-Hulud worm went public on April 24, the attackers had already been operating for a full month, establishing the infrastructure and credential graph that the worm would later exploit.
This matters because most coverage treats Shai-Hulud as the start of the campaign. It wasn't. It was the escalation phase of an operation already in progress.
Trivy is an open-source security scanner — a tool defenders use to find vulnerabilities in their containers and dependencies. It's published by Aqua Security and used widely in CI/CD pipelines, the automated build systems that turn developer code into production software.
TeamPCP compromised Trivy. The vulnerability (CVE-2026-33634) was severe enough that CISA added it to the Known Exploited Vulnerabilities catalog on April 6, 2026, with a patch deadline of April 9. The compromise allowed attackers to gain access to everything in a CI/CD environment — all tokens, SSH keys, cloud credentials, database passwords, and sensitive configuration in memory.
The Trivy compromise wasn't the first time TeamPCP targeted security tooling. SANS Internet Storm Center's report on the campaign — published as version 3.0 on March 25, 2026 — was titled "When the Security Scanner Became the Weapon." The title captured the strategic insight: TeamPCP was deliberately targeting the tools defenders use, because those tools have privileged access to everything they're meant to protect.
The downstream impact was significant. The Trivy compromise led to the theft of Cisco source code, confirmed by April 8. Mandiant assessed the campaign had reached over 1,000 SaaS environments. CERT-EU confirmed a European Commission cloud breach traced to the same actors. Google's Threat Intelligence Group formally designated TeamPCP as UNC6780 in their tracking system.
While Trivy provided access to defender infrastructure, TeamPCP simultaneously targeted LiteLLM — an AI gateway that handles API calls to large language model services like OpenAI, Anthropic, and Google. LiteLLM sits at a strategic chokepoint in modern AI infrastructure. Compromising it potentially gives attackers API keys for multiple AI providers, database credentials, and configuration for entire AI deployments.
The Hacker News documented the operation in detail on April 8, 2026: "In March 2026, the TeamPCP threat actor proved just how valuable the developer workstation is." The LiteLLM attack turned developer machines into credential vaults — every key the developer had ever used was harvested.
Between April 13 and May 28, eight CVEs were disclosed in LiteLLM — multiple critical vulnerabilities, several actively exploited within hours of disclosure. LiteLLM was even successfully attacked at Pwn2Own Berlin 2026 on May 16. Whether all of these vulnerabilities were found by TeamPCP or whether their initial attack exposed the broader weaknesses is unclear. What's clear is that AI infrastructure became a primary target.
By April 24, when Shai-Hulud emerged with the Bitwarden npm compromise, TeamPCP had already:
The worm wasn't the start. It was the next phase of escalation by an actor who already had developer-infrastructure access at scale.
The methodology lesson. When a sophisticated supply chain attack appears in public coverage, it rarely represents the start of the campaign. By the time mass exploitation is visible, the attackers have typically been operating for weeks or months in less-visible ways. Defenders who treat each visible incident as a new campaign miss the continuity that connects them.
The Shai-Hulud campaign proper unfolded across five distinct phases between April 24 and June 2, 2026. Each phase had a triggering event, a targeting pattern, and an escalation that set up the next phase. The structure was visible in real time if you knew what to look for.
Reading the phases as a single narrative, three operational characteristics emerge.
The targeting got more strategic over time. Phase 1 attacks looked opportunistic — Bitwarden, then SAP development tools. By Phase 3, the targeting was laser-focused on AI/ML infrastructure. TanStack, Mistral AI, Guardrails, UiPath, OpenAI — these weren't random selections. The operators learned what was valuable as they harvested credentials, and they pivoted toward higher-value targets.
The escalation was deliberate, not emergent. The May 15 source code release wasn't a leak. TeamPCP published it intentionally, paired it with a paid contest on BreachForums, and announced their intent to encourage clones. The transition from "our worm" to "everyone's worm" was a planned operational shift, not an accident.
The infrastructure scaled with the campaign. ThreatFox indicators show C2 (command and control) infrastructure expanding through May — domains like git-tanstack.com, sh.azurestaticprovider.net, and filev2.getsession.org appearing as the campaign progressed. The attackers built infrastructure as they needed it, not in advance.
Most coverage of Shai-Hulud focuses on credential theft. That's not wrong — credentials are the first thing stolen, and the most immediately monetizable. But credentials are also the surface layer. When attackers compromise developer infrastructure, they get inside something more valuable than the credentials themselves: they get inside the development pipeline. And what's in that pipeline is strategic intelligence about a company's entire technology operation.
The Mitnick parallel is worth drawing here. In the 1990s, Kevin Mitnick stole source code from Nokia, Motorola, Sun Microsystems, NEC, and Novell. He never sold it. He stole it to study it — the technical challenge was the motivation. TeamPCP has the same level of access Mitnick demonstrated. Their motivation is different: they sell it.
Tier 1: Credentials (immediate value, short shelf life). Stolen tokens, keys, and authentication data get used immediately. Some publish the next wave of poisoned packages, maintaining the infection. Others get sold on cybercrime forums where buyers test them quickly before they're rotated. Some get used in ransomware operations. This layer has a short shelf life — credentials get rotated within days of disclosure.
Tier 2: Source code (permanent value). Stolen source code doesn't expire. Once exfiltrated, it can be studied indefinitely for vulnerabilities, weaknesses, and implementation details. TeamPCP advertised Mistral AI's repositories for sale on May 14. By May 20, they claimed 4,000 internal GitHub repositories for sale. This isn't just the code — modern source code repositories contain architecture documents, configuration files revealing security implementations, build pipelines, years of commit history revealing engineering decisions, and sometimes secrets that weren't properly rotated.
Tier 3: Strategic intelligence (buyer-dependent value). The same stolen GitHub repository is worth different amounts to different buyers. A competitor wanting to replicate features pays moderate amounts. A vulnerability broker hunting for zero-days pays significantly more if exploitable bugs are found. A nation-state intelligence service can pay very high amounts for strategically valuable targets.
The buyer market for stolen developer intelligence isn't hypothetical. Documented buyers include state-affiliated buyers from multiple countries with significant interest in Western technology development. The market exists. The prices for strategic source code far exceed credential market prices. The infrastructure to monetize at all three tiers is what makes operations like TeamPCP economically viable.
The depth of the compromise. Six weeks of Shai-Hulud isn't just credential theft. It's infrastructure for a multi-tier monetization model. The credentials are the entry. The source code is the product. The buyers are the market. And the buyers shape the danger — credentials sold for $50 to random scammers cause one kind of damage. The same access used to exfiltrate source code that ends up in nation-state hands causes a different kind entirely.
The attackers go by many names. TeamPCP in security forums. UNC6780 in Google's tracking. To victims, just a notification that their code had been replaced.
Understanding TeamPCP matters because how threat actors actually operate shapes what defenders can do. TeamPCP isn't a faceless menace — they're a documented criminal operation with a business model, market relationships, and a protective ecosystem that determines what options defenders have.
TeamPCP operates with the discipline of a legitimate business. They have:
The open-sourcing of Shai-Hulud wasn't bragging rights. It was business strategy. The same playbook a legitimate software company uses: expand the ecosystem, become the standard, profit from being the originator. Microsoft open-sources VS Code so more developers use it and the Microsoft Cloud ecosystem benefits. TeamPCP open-sources Shai-Hulud so more attackers use it and the TeamPCP ecosystem benefits.
TeamPCP operates in the gray zone between criminal enterprise and state-aligned operations that defines much of modern Russian-speaking cybercrime. They show classic criminal characteristics: branded identity, public marketplaces, profit-driven targeting, sales of stolen data to whichever buyer pays most.
But they also operate with the kind of stability that requires safe haven. They've been continuously active since at least March 2026 without disruption. They openly partner with cybercrime forums. They don't target Russian or CIS infrastructure. This pattern strongly suggests state toleration: the Russian government likely doesn't direct their operations, but it doesn't disrupt them either, likely because their attacks on Western infrastructure serve broader state interests.
For defenders, the distinction between "criminal" and "state-protected criminal" is academic. The threat operates with state-grade protection regardless of state-grade tasking. Western law enforcement cannot reach them. Extradition is impossible. Disruption operations have limited reach.
TeamPCP isn't the first criminal group to monetize stolen data through cybercrime forums. ShinyHunters has operated similarly since 2020, targeting customer databases and selling them on the same forums TeamPCP uses now. But the comparison reveals what makes TeamPCP more dangerous.
Targets: Individual companies, one breach at a time
Method: Voice phishing, OAuth Device Flow abuse, social engineering
Tools: Generic cybercrime tooling
Operators: Western (Com ecosystem), subject to arrests
Scale: One organization per operation
Targets: Developer infrastructure that thousands depend on
Method: Self-propagating worms, supply chain compromise
Tools: Custom-built, then open-sourced for distribution
Operators: Russian-speaking, state-protected, no arrests
Scale: Thousands of downstream organizations per compromise
The same monetization model. Different operational scale entirely. ShinyHunters breaches a single company at a time. TeamPCP attacks the developer infrastructure that thousands of companies depend on. ShinyHunters operators get arrested when they operate from Western jurisdictions. TeamPCP operates from somewhere they don't.
Three findings emerged from the analysis that are worth foregrounding separately from the narrative reconstruction.
The cascade observation update. The cPanel cascade analysis I published two weeks ago documented three actor tiers converging on a single vulnerability in predictable order. The Shai-Hulud campaign shows a related but distinct cascade structure — a single sophisticated operator releasing tooling that creates rapid downstream exploitation by less-skilled actors. Two cascade patterns in different attack contexts suggest the broader phenomenon is real: cyber campaigns aren't chaotic events but predictable patterns that compress in time. Whether the pattern holds in future incidents will be visible over time.
Three audiences need to respond to Shai-Hulud differently. The recommendations are organized by who needs to act, not because the recommendations are different by audience, but because the responsibility is.
npm audit regularly. Check for unexpected dependencies. If you installed any packages in the @redhat-cloud-services, @antv, or TanStack namespaces in the last 60 days, audit immediately and assume compromise until proven otherwise.git-tanstack.com, sh.azurestaticprovider.net, and filev2.getsession.org. Block at firewall and DNS. Add SHA256 hashes from ThreatFox to endpoint detection.These aren't theoretical recommendations. They're what would have limited Shai-Hulud's spread if implemented before the campaign began.
For other analysts working through similar exercises — particularly those early in their cybersecurity journey — this section documents the methodology used here.
Note on sources: This analysis draws from publicly available threat intelligence feeds aggregated via ArgusX, my community threat intelligence platform — documented in field notes. Source feeds include ThreatFox, OTX AlienVault, MalwareBazaar, SANS Internet Storm Center, and security journalism from BleepingComputer, Dark Reading, Security Week, The Hacker News, and CyberSecurityNews. Every conclusion drawn here is based on publicly available source material.
This analysis is the third observation in a developing investigation into cascade structure across modern cyber threats. The first was the cPanel CVE-2026-41940 cascade — three actor tiers converging on a single vulnerability in three days. The second was the ShinyHunters operational lifecycle — supply chain cascades across cloud SaaS platforms. This third observation extends the pattern to npm supply chain attacks.
Three independent contexts. Same underlying structure. Worth naming as a hypothesis worth testing further.
The forward-looking observations below are based on the patterns documented above. Each one is specific enough to be wrong, which is the point. Pattern recognition that can't be falsified isn't pattern recognition — it's storytelling.
Prediction 1: Shai-Hulud variants will continue emerging at a decreasing rate. The source code release on May 15 produced rapid clone proliferation in the first two weeks. That rate should decline as security tooling adapts to the published IOCs and the easy targets get hit. By August 2026, the clone activity should be visible but no longer dominant in npm security incidents.
Prediction 2: TeamPCP will pivot to a new target ecosystem. The operational pattern across Trivy, LiteLLM, npm, Packagist, and PyPI shows the group cycling through high-value developer infrastructure systematically. The next pivot is likely. Candidate targets based on similar trust patterns: container registries (Docker Hub, GitHub Container Registry), CI/CD platforms (CircleCI, GitLab Runners), or AI model registries (Hugging Face).
Prediction 3: A successor group will emerge using TeamPCP's tooling. The PCPJack pattern of May 7-8 — a rival group emerging to evict TeamPCP from compromised systems — is likely to repeat. Other actors will use the released Shai-Hulud code, develop their own variants, and compete for the same victim pool. The criminal ecosystem rewards fast followers.
Prediction 4: The methodology will spread beyond Russian-speaking actors. Open-source attacker tooling democratizes capability. By late 2026, expect to see Shai-Hulud variants used by criminal groups outside the Russian-speaking ecosystem — possibly Latin American, Southeast Asian, or African-origin operators adapting the tools for regional targets.
I'll be watching each of these over the next 60 days.
Shai-Hulud is not where this story starts, and it's not where it ends. It's a six-week window into a longer operation by a state-protected criminal enterprise that has been building capability since at least March 2026 — and probably longer than my data can demonstrate.
What I documented was the visible escalation phase of a campaign that follows a structure I've now seen three times in different contexts. The cPanel cascade compressed vulnerability exploitation into 72 hours. The ShinyHunters operational lifecycle scaled cloud SaaS extortion across eight industries. The Shai-Hulud cascade converted controlled supply chain compromise into distributed open-source threat in 21 days. Three observations in different threat contexts. Same underlying pattern of sophisticated actor activity producing predictable escalation phases.
The pattern matters because it changes what defense looks like. Defenders aren't fighting unpredictable chaos. They're fighting predictable patterns that look unpredictable because the patterns haven't been named. Once named, they become observable. Once observable, they become defendable. Once defendable, the asymmetric advantage attackers have starts to compress.
None of this means defenders catch up to attackers. It means defenders can stop treating each incident as a novel surprise and start recognizing the recurring structures that connect them. TeamPCP's Shai-Hulud campaign is not the first supply chain attack and it will not be the last. What it is — clearly, visibly, in the data — is one phase of a longer pattern that defenders can prepare for if they know what to watch.
If you can see the chain forming, you have a window. If you wait to react, the window is gone. That observation held for cPanel in May. It held for ShinyHunters across April and May. It holds for Shai-Hulud now.
The investigation continues.
This analysis is based entirely on publicly available reporting from security journalism, government advisories, threat intelligence feeds, and community sources. All findings reflect the author's independent analysis.
Yana Ivanov is a security analyst transitioning into threat intelligence and detection engineering after 15 years in enterprise UX and product design. She holds an MS in Information Systems and is currently pursuing CompTIA Security+ certification. This analysis was produced independently as a contribution to the security community's understanding of vulnerability cascade dynamics. The methodology described here is part of ongoing research into whether vulnerability cascades follow predictable patterns.