Between May and June 2026, threat actor TeamPCP executed a multi-stage supply chain attack transitioning from the Shai Hulud cluster to the Miasma Worm. Shai Hulud utilized dependency confusion and SLSA provenance spoofing to compromise CI/CD pipelines and exfiltrate AWS Redshift data. The subsequent Miasma Worm evolved into an "environment-triggered" threat, hijacking AI agent configuration files (e.g., .claude/settings.json, .cursor/rules/setup.mdc) to achieve zero-click execution upon workspace opening. This campaign compromised 176 npm packages and 37 PyPI wheels, culminating in a June 5 breach of Microsoft that disabled 73 GitHub repositories and disrupted Azure Functions deployment actions globally.
-
Campaign Evolution: Shai Hulud to Miasma
- Shai Hulud initially utilized traditional package poisoning and dependency confusion to pivot into cloud identity roles and production environments.
- Miasma shifted the attack surface to AI-integrated IDEs (Claude Code, Cursor, Gemini CLI) by targeting configuration files rather than dependency installations.
- The transition represents a paradigm shift from "installation-triggered" to "environment-triggered" payloads, leveraging developer trust in AI agents.
-
Technical Vectors: Provenance Spoofing and Config Injection
- Employed SLSA provenance spoofing to inject malicious artifacts with valid attestations, bypassing standard CI/CD supply chain verifications.
- Implemented "zero-click" execution by planting malicious instructions in
.vscode/tasks.jsonand.cursor/rules/setup.mdc. - Leveraged the Model Context Protocol (MCP) and AI settings to ensure malware persistence across token rotations and workspace wipes.
-
Ecosystem Impact: npm, PyPI, and Azure
- Compromised 176 npm packages, including 32 within the
@redhat-cloud-servicesnamespace and high-traffic packages like@tanstack. - Demonstrated cross-ecosystem propagation via 37 malicious PyPI wheels and compromised Go Modules (verana-labs).
- Triggered a rapid-fire incident on June 5 that disabled 73 GitHub repositories across four Microsoft organizations in 105 seconds, breaking Azure Functions deployment actions.
- Compromised 176 npm packages, including 32 within the
-
Payload Analysis: TeamPCP Tooling
- Deployed self-replicating tools including "Mini Shai-Hulud" and "IronWorm" for automated credential harvesting.
- Targeted the exfiltration of Cloud IAM keys, GitHub OAuth tokens, npm authentication tokens, and AI provider API keys.
- Successfully exfiltrated high-value data, including password manager contents and sensitive Amazon Redshift data stores.
-
Defensive Remediation and Mitigation
- npm deployed preventive account protection measures to mitigate the automated spread of malicious versions.
- Organizations must implement integrity monitoring for AI configuration files and
.vscodedirectory task definitions. - Security teams should audit CI/CD pipelines for unauthorized privilege escalation from build environments to cloud production roles.
Related posts
- bulwarkblack.com — Shai Hulud Shows CI/CD Identity Is Production Cloud Identity
- gurucul.com — The Rise of Shai-Hulud: Evolution of a Supply Chain Threat from Package Compromise to Multi-Ecosystem Propagation
- vibegraveyard.ai — Miasma worm made AI coding agents auto-run its payload on repo open
- NSFOCUS — AI Security Incident Case: Miasma Worm Attacked Microsoft GitHub
- Fortinet
- Microsoft
- Labs
- Vectra
- Trendmicro
- Upwind
- Es-la