Shai-Hulud/Megalodon: A Two-Wave AI Developer Supply Chain Attack

Key Takeaways

• In May 2026, the threat actor TeamPCP executed two coordinated attack waves against the AI developer supply chain, each exploiting a distinct layer of the software delivery pipeline within a span of three weeks.
• Wave 1 — Mini Shai-Hulud (April 29 – May 12): A self-propagating npm/PyPI worm compromised 172 packages across 404 malicious versions, targeting the ecosystems of Mistral AI, TanStack, Guardrails AI, and UiPath. It became the first publicly documented supply chain attack to produce cryptographically valid SLSA Build Level 3 provenance attestations by hijacking a legitimate build pipeline [1][2].
• Wave 2 — Megalodon (May 18): Using throwaway accounts and forged CI bot identities, the same actor pushed 5,718 malicious commits to 5,561 GitHub repositories in under six hours, backdooring CI/CD workflows to exfiltrate cloud credentials, SSH keys, OIDC tokens, and source-code secrets at scale [3][4][22].
• On May 12—six days before Megalodon—TeamPCP publicly released the Shai-Hulud worm source code as open-source software, effectively converting a targeted weapon into commodity attack infrastructure available to any threat actor [5].
• The two attacks together targeted two distinct, high-value layers of the AI developer supply chain — package registries and CI/CD infrastructure — covering the software delivery lifecycle from dependency installation through workflow execution, with persistence hooks that survive reboots installed in AI coding tools including Claude Code and Visual Studio Code [1][6].
• Organizations that rely solely on provenance attestation, signed commits, or trusted registries as supply chain controls should treat this campaign as a clear indicator that those controls require complementary runtime verification and behavioral monitoring.

Background

The npm package registry has long been recognized as a high-value attack surface. Its combination of centralized distribution, frictionless publishing, and deep integration into enterprise CI/CD pipelines makes it an efficient vector for credential theft, malware delivery, and infrastructure compromise at scale. The May 2026 campaign represented a measurable increase in technical complexity and operational scope compared to prior Shai-Hulud variants, combining self-propagation with CI/CD pipeline hijacking in a way not observed in earlier iterations.

The original Shai-Hulud worm emerged in September 2025, when researchers at Palo Alto Networks Unit 42 documented a self-replicating npm worm responsible for compromising hundreds of software packages through automated credential exfiltration [7]. CISA issued an advisory recognizing the widespread supply chain compromise [8]. Two months later, in November 2025, a second variant—Shai-Hulud 2.0—appeared [9], ultimately backdooring 796 unique npm packages with a combined weekly download count exceeding 20 million [10]. That variant introduced a refined propagation model in which the worm reads its own payload to replicate into newly discovered packages, eliminating any dependency on an external command-and-control server for spreading.

The threat actor attributed to both campaigns, tracked as TeamPCP, demonstrated a pattern of sustained targeting against developer infrastructure in the months preceding the May 2026 campaign. In April 2026, the group backdoored the Bitwarden CLI npm package, a credential management utility with millions of downloads and privileged access to developer secret stores [11]. This earlier intrusion is consistent with a deliberate strategy of selecting high-trust, security-adjacent packages likely to be installed by personnel with elevated access to cloud environments and CI/CD pipelines.

The May 2026 campaign extended the prior Shai-Hulud approach in two measurable ways: it targeted the build pipeline itself rather than individual packages, and it combined package registry compromise with CI/CD infrastructure backdooring in a coordinated sequence. Whereas earlier waves targeted specific packages through compromised maintainer credentials or typosquatting, Mini Shai-Hulud represents the first publicly documented instance of hijacking trusted build pipelines themselves to generate attestation-bearing malicious artifacts [1][2]—a technique with profound implications for the entire software supply chain trust model. CSA published earlier research notes tracking the Mini Shai-Hulud campaign’s development as it unfolded in early May 2026 [24][25].

Security Analysis

Wave 1: Mini Shai-Hulud and the SLSA Attestation Breakthrough

The first phase of the May 2026 campaign began on April 29 and reached its most consequential moment on May 11, 2026 at 19:20 UTC, when 84 malicious npm artifacts were published across 42 packages in the @tanstack namespace within a six-minute window [13]. The packages appeared to originate from TanStack’s legitimate release pipeline, using its trusted OIDC identity—because they did. TeamPCP had exploited a chain of GitHub Actions vulnerabilities to hijack TanStack’s build runner mid-workflow and execute the malicious publication from within the sanctioned CI environment.

The technical mechanism—assigned CVE-2026-45321 with a CVSS score of 9.6—combined three existing weaknesses into a novel attack path [14][15]. The pull_request_target GitHub Actions trigger, which runs with write access even when the triggering pull request originates from a fork, provided initial foothold. GitHub Actions cache poisoning allowed the attacker to inject a modified dependency into the legitimate build environment. Finally, the worm extracted a live GitHub Actions OIDC token directly from runner process memory, using that token to obtain a valid Sigstore signing certificate and produce SLSA Build Level 3 provenance attestations for the malicious packages [2][14].

This represents a fundamental challenge to provenance-based trust models. SLSA Build Level 3 attestations are intended to guarantee that an artifact was built by a specific, verified pipeline and not tampered with afterward. In this case, those guarantees were technically satisfied—the malicious packages were built by TanStack’s pipeline—because the attacker had compromised the pipeline itself rather than the artifact after the fact. SLSA does not, and cannot, attest that the code submitted to the pipeline was safe; it attests only to the integrity of the build process. Defenders who treat attestation as a sufficient indicator of package safety should treat Mini Shai-Hulud as a proof-of-concept that the assumption is incorrect [16].

Within 48 hours of the initial TanStack compromise, the self-propagating worm expanded to 172 npm packages and 2 PyPI packages across 404 malicious versions, reaching ecosystems associated with Mistral AI, UiPath, OpenSearch, and Guardrails AI [13][17]. Concurrent activity by TeamPCP targeted the @antv namespace, compromising over 200 packages used in data visualization workflows [12][21]. The affected packages carried a combined download count exceeding 518 million — a scale encompassing a significant portion of the npm developer ecosystem and reaching developers across cloud and enterprise environments. The payload itself was a 2.3 MB obfuscated script that read GitHub Actions runner process memory to extract secrets, swept more than 100 file paths across cloud providers, AI tools, and messaging applications, and installed persistence hooks specifically targeting Claude Code, Visual Studio Code, and OS-level services designed to survive system reboots [1][6][20].

On May 12, 2026—one day after the major TanStack compromise—TeamPCP publicly released the full Shai-Hulud worm source code to GitHub as open-source software, accompanied by installation documentation and a message from the team [5]. This act converted a targeted capability developed over months of operational refinement into freely available, customizable attack infrastructure. The implications extend beyond this specific campaign: any technically capable threat actor now possesses a validated, tested SLSA-bypass technique and self-propagating worm framework, though the degree of customization required to deploy it independently will vary by target environment and attacker capability.

Wave 2: Megalodon and CI/CD Pipeline Takeover

The second wave struck seven days after the Shai-Hulud open-source release. Between 11:36 and 17:48 UTC on May 18, 2026, the Megalodon campaign pushed 5,718 malicious commits to 5,561 GitHub repositories using accounts with randomized eight-character usernames, a pattern consistent with automated account generation at scale [3][4][22]. Attribution research by independent security organizations subsequently linked Megalodon to TeamPCP [18].

The campaign’s operational security centered on impersonation of routine automated activity. The attacker forged author identities—build-bot, auto-ci, ci-bot, pipeline-bot—paired with emails like [email protected] and commit messages such as “ci: add build optimization step” and “chore: optimize pipeline runtime” [3]. The commit messages closely resembled routine CI maintenance activity, a pattern that may reflect deliberate operational security or simply adherence to a standard template — either way, the result was content that blended with the low-signal repository activity that engineering teams commonly deprioritize during review.

Megalodon deployed two distinct GitHub Actions workflow variants sharing a common command-and-control server at 216.126.225.129:8443. The first variant, designated SysDiag by researchers, added a new workflow triggered on every push and pull request event, maximizing automated execution and credential harvest frequency. The second variant, Optimize-Build, replaced existing workflows with a workflow_dispatch trigger only, creating a dormant backdoor that the attacker could activate on demand through the GitHub API with zero visible CI activity and no failed builds as an indicator [3]. Both variants requested elevated permissions—id-token: write and actions: read—enabling OIDC token theft for cloud identity impersonation across AWS, GCP, and Azure environments.

The base64-encoded bash payload conducted multi-phase credential harvesting targeting the full breadth of cloud and developer secrets: AWS credentials across all configured profiles, live tokens from AWS IMDSv2, GCP metadata, and Azure IMDS endpoints, SSH private keys, Docker authentication configurations, .npmrc and .netrc files, Kubernetes cluster configurations, HashiCorp Vault tokens, Terraform state credentials, and the contents of bash history files [3][4]. This data collection scope maps closely to the credential categories most useful for lateral movement into cloud production environments and for publishing additional malicious packages to registries—precisely the capabilities needed to conduct further supply chain compromise at scale.

The Cascade Dynamic

While Mini Shai-Hulud and Megalodon deployed different techniques against different layers of the software delivery stack, the available attribution evidence is consistent with sequential phases of a single strategic objective: establishing persistent access to the credentials and infrastructure that power AI developer pipelines. Alternative interpretations — such as opportunistic sequencing rather than unified planning — cannot be excluded on current evidence. Wave 1 penetrated the package registry layer, harvesting developer credentials and installing persistence mechanisms that survived across development environments. Wave 2 penetrated the version control and CI/CD layer, exfiltrating the cloud credentials and OIDC tokens that CI environments accumulate by design.

The open-sourcing of the Shai-Hulud worm on May 12 served as an inflection point. Security researchers at The Register documented copycat variants targeting additional npm packages within days of the release [19]. The credential corpus harvested across both waves—cloud provider keys, GitHub tokens, OIDC credentials, SSH private keys—represents not only an immediate exfiltration target but a persistent inventory enabling future intrusion campaigns against any organization whose developers installed the compromised packages.

Recommendations

Immediate Actions

For any organization whose developers use the affected package ecosystems—npm or PyPI, particularly packages in the @tanstack, Mistral AI, Guardrails AI, or UiPath namespaces—credential rotation should be treated as an emergency response action rather than a precautionary measure. All secrets accessible from development environments should be assumed compromised: AWS access keys and session tokens, GitHub personal access tokens and fine-grained tokens, cloud provider service account credentials, SSH private keys present on developer workstations, Docker registry authentication, and Kubernetes cluster credentials.

Organizations should audit GitHub repositories for unauthorized workflow modifications between April 29 and the present. Both the SysDiag and Optimize-Build Megalodon variants leave detectable artifacts: unexpected commits from accounts with randomized usernames, workflow files requesting id-token: write without a documented need, and workflow_dispatch-only workflows added without corresponding pull request discussion. The C2 server address 216.126.225.129:8443 should be added to network egress blocklists and reviewed in historical traffic logs.

Short-Term Mitigations

The SLSA attestation bypass technique used by Mini Shai-Hulud requires organizations to extend their supply chain verification beyond provenance attestation. Provenance alone—even at Build Level 3—cannot detect a malicious payload delivered through a compromised legitimate pipeline. Effective defense requires combining attestation verification with behavioral analysis of the dependencies themselves: static analysis for known malicious patterns, runtime sandboxing of postinstall scripts, and dependency pinning to verified digest hashes rather than mutable version tags.

GitHub Actions security hardening should be treated as a priority response measure. The pull_request_target trigger should be restricted or eliminated from workflows that run with write permissions or access to production secrets. Workflow execution should be pinned to specific commit SHAs rather than mutable branch references or tags. OIDC token scopes should follow least-privilege principles, and repositories should be audited for workflows that request id-token: write without a documented justification tied to a specific deployment use case. OpenID Connect token lifetimes and scope restrictions should be reviewed with cloud providers.

Developer workstations should be evaluated for persistent malware. The Shai-Hulud payload specifically installs persistence hooks in Claude Code and Visual Studio Code that survive reboots; any developer workstation where an affected package was installed should undergo forensic review of plugin directories, extension manifests, and startup scripts in both tools.

Strategic Considerations

The public release of the Shai-Hulud worm source code under a permissive license represents a structural change in the threat landscape rather than a transient campaign event — a conclusion supported by the appearance of copycat variants within days of the release [19][23] and the technical accessibility of the SLSA bypass technique to any actor capable of exploiting GitHub Actions workflows. The technique for extracting OIDC tokens from GitHub Actions runner process memory, bypassing SLSA Build Level 3 attestation by hijacking the attested pipeline itself, and propagating a credential-stealing worm across package registries without a command-and-control server is now documented, tested, and freely available. Security teams should plan for this technique to appear in campaigns from actors with no connection to TeamPCP in the coming months and years.

Organizations that manage open-source package releases should implement step-up verification controls for any publication that requests signing credentials from a CI/CD runner. Isolating the signing and attestation step from the build environment, using hardware security modules for signing key storage, and requiring out-of-band approval for version publications would significantly raise the cost of replicating the Mini Shai-Hulud technique against other package maintainers. The broader ecosystem migration toward SLSA Build Level 4 controls—which mandate hermetic, reproducible builds in isolated environments [26]—represents a meaningful mitigation, though current adoption rates across major package ecosystems suggest this is a multi-year effort rather than a near-term solution.

At the strategic level, the Shai-Hulud/Megalodon cascade illustrates that AI developer pipelines now constitute critical infrastructure requiring the same security posture applied to production environments. AI frameworks, model integration libraries, and developer tooling occupy a uniquely privileged position: they run during development with access to source code, secrets, and cloud credentials, and their outputs are deployed directly into AI-enabled production systems. Attackers who compromise this layer gain both immediate credential access and a persistent foothold in the development environments that produce the next generation of deployed artifacts.

CSA Resource Alignment

The Shai-Hulud/Megalodon campaign maps directly to multiple threat scenarios described in CSA’s MAESTRO framework for agentic AI threat modeling. The persistence mechanisms installed by the Mini Shai-Hulud payload in Claude Code and similar AI coding assistants represent a concrete realization of MAESTRO’s supply chain compromise threats against AI agent tooling, where backdoored components in the development environment can propagate trust violations into deployed agentic systems. Organizations implementing MAESTRO-aligned threat models should add developer toolchain integrity to their agentic AI attack surface inventory.

CSA’s AI Controls Matrix (AICM) provides directly applicable control guidance. Controls addressing dependency management, artifact integrity verification, and pipeline security hygiene are relevant to both attack waves. The AICM’s emphasis on extending security controls from model inference to the full AI development lifecycle—including training data pipelines, dependency management, and CI/CD infrastructure—aligns precisely with what this campaign demonstrates: that the AI development toolchain is as consequential an attack surface as the deployed model itself.

For organizations using CSA’s STAR program to assess third-party AI service providers, the Megalodon campaign’s targeting of cloud credential paths (AWS, GCP, Azure IMDS) underscores the need to include CI/CD pipeline security in STAR assessments of AI development vendors and integration partners. A provider whose development environment has been compromised by credential-harvesting CI backdoors presents downstream supply chain risk regardless of their production infrastructure controls.

CSA’s Zero Trust guidance applies to the CI/CD layer as directly as to network perimeters. The Megalodon workflow variants requesting OIDC tokens for cloud identity impersonation exploit the implicit trust most organizations grant to their CI runners. Zero Trust principles—verify explicitly, use least privilege, assume breach—should be applied to every CI/CD identity and permission scope, with workflow execution environments treated as untrusted until behavioral verification is complete.

References

[1] VentureBeat. “Shai-Hulud Worm: 172 npm and PyPI Packages with Valid Provenance Require Immediate CI/CD Audit.” VentureBeat, May 2026.

[2] StepSecurity. “Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages.” StepSecurity Blog, May 2026.

[3] OX Security. “Megalodon: New CI/CD Malware Spreads Across GitHub, Infecting ~5,000+ Repositories.” OX Security Blog, May 2026.

[4] SafeDep. “Megalodon: Mass GitHub Repo Backdooring via CI Workflows.” SafeDep, May 2026.

[5] OX Security. “Shai-Hulud Goes Open Source: Malware Creators Leak Their Own Code to GitHub.” OX Security Blog, May 2026.

[6] Akamai Security Research. “Mini Shai-Hulud: The Worm Returns and Goes Public.” Akamai, May 2026.

[7] Unit 42, Palo Alto Networks. “‘Shai-Hulud’ Worm Compromises npm Ecosystem in Supply Chain Attack.” Unit 42 Blog, 2025.

[8] CISA. “Widespread Supply Chain Compromise Impacting npm Ecosystem.” CISA Alert, September 2025.

[9] Microsoft Security Blog. “Shai-Hulud 2.0: Guidance for Detecting, Investigating, and Defending Against the Supply Chain Attack.” Microsoft Security Blog, December 2025.

[10] Datadog Security Labs. “The Shai-Hulud 2.0 npm Worm: Analysis, and What You Need to Know.” Datadog, December 2025.

[11] OX Security. “Bitwarden CLI Compromised: Inside the Shai-Hulud Supply Chain Attack.” OX Security Blog, April 2026.

[12] Wiz. “The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave.” Wiz Blog, May 2026.

[13] The Hacker News. “Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages.” The Hacker News, May 2026.

[14] Tenable. “Mini Shai-Hulud Supply Chain Attack CVE-2026-45321 FAQ.” Tenable Blog, May 2026.

[15] Lilting Security. “Mini Shai-Hulud Hits TanStack and Mistral npm: CVE-2026-45321 (CVSS 9.6), TeamPCP Campaign Chain.” Lilting.ch, May 2026.

[16] Snyk. “TanStack npm Packages Hit by Mini Shai-Hulud.” Snyk Blog, May 2026.

[17] Expel. “Mini Shai-Hulud: Cross-Ecosystem Supply Chain Worm Targeting npm and PyPI.” Expel, May 2026.

[18] Cybernews. “GitHub Repos Hijacked in Massive Megalodon Attack.” Cybernews, May 2026.

[19] The Register. “Shai-Hulud Copycat Worm Infects Yet Another npm Package.” The Register, May 2026.

[20] BleepingComputer. “Shai-Hulud Attack Ships Signed Malicious TanStack, Mistral npm Packages.” BleepingComputer, May 2026.

[21] Microsoft Security Blog. “Mini Shai-Hulud: Compromised @antv npm Packages Enable CI/CD Credential Theft.” Microsoft Security Blog, May 2026.

[22] Cybersecurity News. “Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours.” Cybersecurity News, May 2026.

[23] Dark Reading. “Supply Chain Worms in 2026: What Shai-Hulud Taught Attackers and How to Prepare.” Dark Reading, 2026.

[24] Cloud Security Alliance. “Mini Shai-Hulud: npm Worm Targets AI Developer Supply Chain.” CSA Lab Space, May 17, 2026.

[25] Cloud Security Alliance. “Mini Shai-Hulud: Cross-Ecosystem Supply Chain Attack Targets AI Developers.” CSA Lab Space, May 3, 2026.

[26] SLSA Project. “SLSA Build Level Requirements.” SLSA Framework Specification, v1.0, 2023.