The Worm That Came In Through the Front Door

Your developer types npm install. A routine command. Probably the thousandth time this week.

Congratulations. You now have malware.

No suspicious email. No phishing link. No social engineering. Just a normal Tuesday morning, a routine dependency update, and a worm called Shai-Hulud quietly harvesting your GitHub tokens, your SSH keys, your cloud credentials, and everything else it could find.

This is what a supply chain attack looks like in 2026.

What Is Shai-Hulud?

Shai-Hulud is a credential-stealing, self-propagating supply chain worm that targets developer ecosystems, primarily npm and PyPI. Its name may evoke the sandworms of science fiction, but its mechanics are grimly practical.

It spreads by infecting software packages and silently stealing credentials: GitHub tokens, npm publishing tokens, SSH keys, and cloud secrets. Once it has those, it does not wait around. It uses them.

How the Attack Actually Works

The attack begins upstream,before the code ever reaches you. Attackers compromise a maintainer account ora CI/CD pipeline, then publish a malicious update to an otherwise legitimatepackage. The malware is embedded inside npm lifecycle scripts, typically preinstall or postinstall hooks.

When a developer or an automated build system runs an install, that hook executes silently in thebackground. No prompts. No warnings. Just execution.

From there, Shai-Hulud scans environment variables and known credential locations:

•     ~/.npmrc

•     ~/.ssh/

•     AWS credential files

•     GitHub Actions environment secrets

Anything it finds is exfiltrated to attacker-controlled infrastructure. Then the real damage begins.

The Self-Propagation Loop

This is where Shai-Hulud earns the worm label. Once it has stolen credentials, it uses GitHub and npm APIs to modify repositories, inject malicious code into packages, and publish those infected versions automatically.

Every new developer who installs an infected package potentially becomes another vector. The cycle repeats. The blast radius grows.

Modern CI pipelines make this worse. They routinely expose sensitive publishing tokens during automated builds. Shai-Hulud was built to exploit exactly this, executing during buildsto steal release automation credentials and compromise additional repositories far beyond the original target.

Why This Is So Hard to Catch

The unsettling part is not the sophistication of the attack. It is the legitimacy.

Recent variants of Shai-Hulud have abused trusted release infrastructure, including GitHub Actions provenance and signed package attestations. The infected packages still passed automated verification. They looked legitimate. They were legitimate, until they were not.

Your antivirus did not flag it.Your team followed every procedure. The threat bypassed the door entirely and came through the delivery entrance, dressed as a software update with a cleansignature.

OpenAI has publicly acknowledged that the TanStack supply chain attack compromised devices belonging to two of its employees. When organizations with significant security budgets are affected, the message is clear: no one is automatically exempt.

Who Is Behind It: TeamPCP

Security researchers have attributed these campaigns to a group operating under the name TeamPCP. Unlike ransomware groups chasing an immediate payday, TeamPCP appears motivated by something more durable: persistent access.

Their tooling reflects deep familiarity with GitHub Actions workflows, npm publishing mechanics, and the structural vulnerabilities in modern software supply chains. They are not smashing windows to grab cash registers. They are copying the keys and walking in quietly, night after night.

By the time most organizations detect the intrusion, the attackers have already been inside for weeks.

What You Can Do Right Now

Security researchers have outlined a concrete set of immediate actions:

1.   Rotate all GitHub, npm, and cloud credentials immediately.

2.   Enable MFA across your developer accounts and CI/CD services.

3.   Audit CI/CD workflows for unexpected changes or unfamiliar actions.

4.   Review package versions recently published from your repositories.

5.   Treat any affected CI runner as fully compromised and rebuild from scratch.

Longer term, the answer is a fundamental shift in how organizations think about their supply chain. Your attack surface is no longer limited to your own code. It extends to every package you install, every action you use, and every maintainer whose account could be compromised upstream.

The Question Worth Asking

The threat is no longer at the door. It is already inside your build pipeline, wearing a name you recognize, carrying a signature you trust.

If your business runs on software, and every business does, your supply chain is your attack surface.When did you last audit what your systems are actually running?

‍