Back

TeamPCP Open-Sources Shai-Hulud Worm, Threatening Developer Ecosystems

Severity: High (Score: 69.8)

Sources: News.Risky.Biz, Theregister, slowmist.medium.com

Summary

The TeamPCP hacking group has released the source code of the Shai-Hulud worm, which has already compromised numerous open-source libraries across npm and PyPI. This release occurred on May 13, 2026, just days after the worm was used in a significant supply chain attack against the TanStack React framework, impacting nearly 400 packages, including those used by companies like Mistral and UiPath. Security firm Ox confirmed the authenticity of the worm's code, which allows attackers to exploit credentials from major cloud services. The worm has been linked to multiple supply chain attacks since its first appearance in November 2025. The open-sourcing of the worm is expected to lead to a surge in attacks as independent threat actors begin to modify and deploy it. TeamPCP's decision to use the MIT License for the worm's code further facilitates its distribution and adaptation by other malicious actors. Current reports indicate that the worm's repositories on GitHub have already seen significant forking and modification by various users. Key Points: • TeamPCP released the Shai-Hulud worm's source code, increasing the risk of widespread attacks. • The worm has already compromised nearly 400 packages, affecting major companies like Mistral and UiPath. • Independent threat actors are rapidly modifying the worm, expanding its potential impact.

Key Entities

  • Earth Estries (apt_group)
  • FamousSparrow (apt_group)
  • Gammaredon (apt_group)
  • Kimsuky (apt_group)
  • Paper Werewolf (apt_group)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Supply Chain Attack (attack_type)
  • Worm (attack_type)
  • OpenAI (company)
  • TanStack (company)
  • UiPath (company)
  • AWS (company)
  • Azure (company)
  • Azerbaijan (country)
  • France (country)
  • Germany (country)
  • Russia (country)
  • South Korea (country)
  • CVE-2025-54518 (cve)
  • CVE-2025-8088 (cve)
  • CVE-2026-42945 (cve)
  • CVE-2026-44338 (cve)
  • breached.st (domain)
  • nats.io (domain)
  • Mirai (malware)
  • PaperGrabber (malware)
  • PebbleDash (malware)
  • Shai-hulud (malware)
  • T1195 - Supply Chain Compromise (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • T1567 - Exfiltration Over Web Service (mitre_attack)
  • FreeBSD (platform)
  • GitHub (platform)
  • PyPI (platform)
  • Npm (tool)
  • WinRar (tool)
  • Babuk (ransomware_group)
  • Conti (ransomware_group)
  • Lockbit (ransomware_group)
  • WinRAR Zero-day (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed