Back

TeamPCP Open-Sources Shai-Hulud Worm, Challenges Hackers to Attack

Severity: High (Score: 70.2)

Sources: Scworld, News.Risky.Biz, slowmist.medium.com, Theregister

Summary

The TeamPCP hacking group has released the source code for the Shai-Hulud worm, which has been used in supply chain attacks affecting npm and PyPI ecosystems. The code was posted on the Breached[.]st forum and GitHub, with a challenge for hackers to execute the largest supply chain attack. This worm has already compromised packages from TanStack, Mistral AI, and OpenSearch, impacting hundreds of libraries. The original Shai-Hulud worm was first identified in late 2025, and the new variant has been confirmed to include similar malicious capabilities. Security researchers have noted that the code's release could lead to a surge in attacks, reminiscent of past malware releases like Mirai. As of now, no attacks leveraging the open-sourced variant have been reported, but the potential for exploitation remains high. The situation is evolving, with multiple forks of the code already appearing on GitHub. Key Points: • TeamPCP released the Shai-Hulud worm's source code, prompting potential widespread exploitation. • The worm has already impacted major libraries, including those from TanStack and Mistral AI. • Security researchers warn of a possible surge in supply chain attacks following the code release.

Key Entities

  • Earth Estries (apt_group)
  • FamousSparrow (apt_group)
  • Gammaredon (apt_group)
  • Kimsuky (apt_group)
  • Paper Werewolf (apt_group)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • Supply Chain Attack (attack_type)
  • Worm (attack_type)
  • CrowdStrike (company)
  • Mistal AI (company)
  • OpenAI (company)
  • TanStack (company)
  • UiPath (company)
  • OpenSearch (tool)
  • Npm (tool)
  • TruffleHog (tool)
  • WinRar (tool)
  • Azerbaijan (country)
  • France (country)
  • Germany (country)
  • Russia (country)
  • South Korea (country)
  • CVE-2025-54518 (cve)
  • CVE-2025-8088 (cve)
  • CVE-2026-42945 (cve)
  • CVE-2026-44338 (cve)
  • breached.st (domain)
  • nats.io (domain)
  • Mirai (malware)
  • PaperGrabber (malware)
  • PebbleDash (malware)
  • Shai-hulud (malware)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1078 - Valid Accounts (mitre_attack)
  • T1195 - Supply Chain Compromise (mitre_attack)
  • T1552.001 - Credentials In Files (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • FreeBSD (platform)
  • GitHub (platform)
  • PyPI (platform)
  • Babuk (ransomware_group)
  • Conti (ransomware_group)
  • Lockbit (ransomware_group)
  • Vect (ransomware_group)
  • WinRAR Zero-day (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed