← Back to Daily Briefing

Between May and June 2026, threat actor TeamPCP executed a multi-stage supply chain attack transitioning from the Shai Hulud cluster to the Miasma Worm. Shai Hulud utilized dependency confusion and SLSA provenance spoofing to compromise CI/CD pipelines and exfiltrate AWS Redshift data. The subsequent Miasma Worm evolved into an "environment-triggered" threat, hijacking AI agent configuration files (e.g., .claude/settings.json, .cursor/rules/setup.mdc) to achieve zero-click execution upon workspace opening. This campaign compromised 176 npm packages and 37 PyPI wheels, culminating in a June 5 breach of Microsoft that disabled 73 GitHub repositories and disrupted Azure Functions deployment actions globally.

  • Campaign Evolution: Shai Hulud to Miasma

    • Shai Hulud initially utilized traditional package poisoning and dependency confusion to pivot into cloud identity roles and production environments.
    • Miasma shifted the attack surface to AI-integrated IDEs (Claude Code, Cursor, Gemini CLI) by targeting configuration files rather than dependency installations.
    • The transition represents a paradigm shift from "installation-triggered" to "environment-triggered" payloads, leveraging developer trust in AI agents.
  • Technical Vectors: Provenance Spoofing and Config Injection

    • Employed SLSA provenance spoofing to inject malicious artifacts with valid attestations, bypassing standard CI/CD supply chain verifications.
    • Implemented "zero-click" execution by planting malicious instructions in .vscode/tasks.json and .cursor/rules/setup.mdc.
    • Leveraged the Model Context Protocol (MCP) and AI settings to ensure malware persistence across token rotations and workspace wipes.
  • Ecosystem Impact: npm, PyPI, and Azure

    • Compromised 176 npm packages, including 32 within the @redhat-cloud-services namespace and high-traffic packages like @tanstack.
    • Demonstrated cross-ecosystem propagation via 37 malicious PyPI wheels and compromised Go Modules (verana-labs).
    • Triggered a rapid-fire incident on June 5 that disabled 73 GitHub repositories across four Microsoft organizations in 105 seconds, breaking Azure Functions deployment actions.
  • Payload Analysis: TeamPCP Tooling

    • Deployed self-replicating tools including "Mini Shai-Hulud" and "IronWorm" for automated credential harvesting.
    • Targeted the exfiltration of Cloud IAM keys, GitHub OAuth tokens, npm authentication tokens, and AI provider API keys.
    • Successfully exfiltrated high-value data, including password manager contents and sensitive Amazon Redshift data stores.
  • Defensive Remediation and Mitigation

    • npm deployed preventive account protection measures to mitigate the automated spread of malicious versions.
    • Organizations must implement integrity monitoring for AI configuration files and .vscode directory task definitions.
    • Security teams should audit CI/CD pipelines for unauthorized privilege escalation from build environments to cloud production roles.

Related posts

  1. bulwarkblack.com — Shai Hulud Shows CI/CD Identity Is Production Cloud Identity
  2. gurucul.com — The Rise of Shai-Hulud: Evolution of a Supply Chain Threat from Package Compromise to Multi-Ecosystem Propagation
  3. vibegraveyard.ai — Miasma worm made AI coding agents auto-run its payload on repo open
  4. NSFOCUS — AI Security Incident Case: Miasma Worm Attacked Microsoft GitHub
  5. Fortinet
  6. Microsoft
  7. Labs
  8. Vectra
  9. Trendmicro
  10. Upwind
  11. Es-la

LINK COPIED TO CLIPBOARD