How TeamPCP’s ‘Mini Shai Hulud’ Worm Is Poisoning AI Workflows and What You Must Do Now + Video

Listen to this Post

Featured Image

Introduction:

The TeamPCP supply chain campaign represents a paradigm shift in cyberattacks, moving from opportunistic typosquatting to deliberate, credential-driven ecosystem poisoning. Originating from a single compromised CI/CD token in Aqua’s Trivy scanner in mid-March 2026, this operation has unleashed cascading malware across npm, PyPI, Docker Hub, and even VS Code extensions, with notable waves like CanisterSprawl (npm worm) and Mini Shai Hulud (cross-ecosystem blitz) actively stealing API keys, cloud tokens, and IDE configurations from developers and AI pipelines.

Learning Objectives:

  • Identify the key technical indicators (IOCs) and attack chains of the TeamPCP, CanisterSprawl, and Mini Shai Hulud campaigns.
  • Execute practical detection and system hardening commands for Linux, Windows, and CI/CD environments exposed to the malware.
  • Apply forensic analysis techniques, including Python dependency auditing, Docker image inspection, and Kubernetes DaemonSet anomaly detection.

You Should Know:

1. Dissecting the CanisterSprawl Worm: Self‑Propagating npm Poisoning

The CanisterSprawl worm, active since April 21, 2026, spreads by leveraging stolen npm tokens to inject malicious `postinstall` hooks into legitimate packages like @automagik/genie, pgserve, and `@fairwords` packages. When a developer installs a poisoned package, the worm harvests SSH keys, .npmrc, cloud credentials, environment variables, and even browser-stored wallet data, then exfiltrates the loot to an ICP blockchain canister (cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io) that is resilient to conventional takedowns. The worm also contains cross-ecosystem logic that generates malicious Python packages via `.pth` injection if PyPI tokens are found inside the environment.

Step‑by‑step guide to detect and block the worm:

1. Audit your `package-lock.json` for known malicious versions

 Check for any of the compromised packages and versions
grep -E '@automagik/genie|@fairwords/loopback-connector-es|@fairwords/websocket|@openwebconcept/|pgserve' package-lock.json

What this does: It scans your lockfile for the exact package names used by CanisterSprawl.

2. Search for C2 indicators inside `node_modules`

 Look for the ICP canister fallback domain or the webhook exfil domain
grep -rE "cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io|telemetry.api-monitor.com" node_modules/

What this does: It recursively searches for hardcoded command-and-control (C2) addresses used by the worm.

  1. Scan for suspicious base64 payloads or `postinstall` scripts
    Find any install scripts that run external code
    find node_modules -name "package.json" -exec grep -H -E '"postinstall":\s"' {} \;
    

    What this does: Detects npm packages that have a `postinstall` hook, which the worm abuses to execute its payload immediately upon installation.

  2. Revoke and rotate all npm tokens that might have been exposed

– Log into npm and delete any legacy automation tokens.
– Generate fresh tokens with minimal necessary scope.
– Audit GitHub Actions secrets for any npm tokens stored as environment variables.

  1. Mitigating the Mini Shai Hulud Attack Chain Across PyPI, npm, and Packagist

The Mini Shai Hulud (April 29-30, 2026) campaign is a multi-ecosystem blitz that started with compromised SAP npm packages (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, mbt) and quickly spread to PyTorch Lightning (lightning==2.6.2/2.6.3), Intercom npm ([email protected]/7.0.5), and even PHP’s Packagist ([email protected]). The malware is triggered on package installation via a `preinstall` or `postinstall` script that downloads the Bun runtime and executes a heavily obfuscated JavaScript credential stealer. It exfiltrates data to domains like `zero.masscan.cloud` and creates dead‑drop commits on GitHub with messages like “A Mini Shai‑Hulud has Appeared”.

Step‑by‑step guide to clean affected environments:

  1. Check installed Python packages for the malicious Lightning versions
    For pip‑managed environments
    pip list --format=freeze | grep -E "lightning==2.6.[bash]"
    

    What this does: Identifies whether the compromised PyPI versions are present.

  2. Inspect your `.claude` folder for injected IDE hooks

    Look for the malicious Claude Code configuration file
    cat .claude/settings.json | grep -E "SessionStart|setup.mjs"
    

    What this does: The Mini Shai Hulud payload adds a `node .vscode/setup.mjs` command to the Claude Code hook‘runOn: folderOpen‘, which executes the stealer every time the IDE opens a folder.

  3. Search for GitHub dead‑drop commits that contain exfiltrated data

    Search your organization’s public/private repos (requires GitHub CLI)
    gh search commits "A Mini Shai-Hulud has Appeared" --owner=YOUR_ORG
    

    What this does: Finds repositories created by the malware to store stolen credentials under the attacker’s controlled description. Immediately revoke any tokens found in those commits.

  4. Remove the malicious npm packages and block the exfiltration domain

– Uninstall the compromised packages: `npm uninstall @cap-js/sqlite @cap-js/postgres @cap-js/db-service mbt intercom-client`
– Add a firewall rule or DNS sinkhole to block `zero.masscan.cloud` and `masscan.cloud` to prevent exfiltration.
– Rotate any GitHub, npm, or PyPI tokens that were present in the affected environment.

  1. Hardening CI/CD Pipelines Against Mutable Tag and Workflow Exploitation

The initial infiltration that enabled TeamPCP’s entire campaign was the exploitation of mutable GitHub Action tags in the Trivy repository. The attacker force‑pushed 75 out of 76 `trivy-action` tags and all 7 `setup-trivy` tags to a malicious commit, causing any workflow referencing a mutable tag like `@v0.34.2` to pull the compromised version. This is a classic mutable‑tag attack that can be prevented by pinning actions to full commit SHAs.

Step‑by‑step guide to lock down your GitHub Actions:

1. Scan all `.github/workflows/.yml` for mutable tag references

 List any workflow that uses a “@v” or “@main” style reference for critical actions
grep -rE "(trivy-action|setup-trivy|kics-github-action)@v[0-9]" .github/workflows/

What this does: Identifies dangerous tags that can be overwritten by an attacker.

  1. Replace every mutable tag with a full 40‑character commit SHA

– For trivy-action, use the latest known‑good SHA (e.g., `8e97ef0e38faeea2a4769f18c597dfedfa3d4a26` for v0.20.0).
– For setup-trivy, use a pinned SHA (e.g., 1c77c4a6a64726f86d118d766db3bfe03c58a6ea).
– Example fix:

- name: Run Trivy
uses: aquasecurity/trivy-action@8e97ef0e38faeea2a4769f18c597dfedfa3d4a26  not @v0.20.0
  1. Review any workflow that uses `pull_request_target` with third‑party actions

– The original TeamPCP attack used a `pull_request_target` workflow that allowed a malicious PR to steal the `aqua-bot` PAT. Avoid `pull_request_target` unless absolutely necessary; if used, never combine it with actions that check out code from the PR.

  1. Enable GitHub’s “Require approval for outside collaborators” and require signed commits for workflow changes to prevent automatic execution of malicious workflow modifications.

  2. Detecting the LiteLLM .pth File Persistence and WAV Steganography Payloads

The LiteLLM compromise (versions 1.82.7 and 1.82.8) introduced a `.pth` file that executes on every Python interpreter startup, making the malware persistent without any explicit import. The Telnyx compromise went further by hiding XOR‑decoded payloads inside WAV audio files (hangup.wav for Windows, `ringtone.wav` for Unix), evading static analysis.

Step‑by‑step guide to find hidden payloads:

  1. Check for the malicious `.pth` file in your Python environment
    Locate site-packages and look for litellm_init.pth (Windows/Linux/macOS)
    python -c "import site; print(site.getsitepackages())" | xargs -I{} find {} -name "litellm.pth"
    

    What this does: The `.pth` file runs arbitrary Python code upon interpreter launch, enabling the credential stealer to persist across restarts.

  2. Inspect any WAV files in your downloads or application directories

    Check for suspiciously large WAV files that contain non‑audio data
    find / -name ".wav" -size +100k -exec sh -c 'strings {} | grep -iE "tpcp|bun|rsa"' \;
    

    What this does: Identifies WAV files that may contain embedded XOR‑decoded payloads (the Telnyx dropper uses `bg_kube.wav` and bg_prop.wav).

3. Search for the AdaptixC2 beacon indicators

  • Windows: Look for `%APPDATA%\…\Startup\msbuild.exe` (persistence via the Startup folder).
  • Linux/macOS: Check systemd or launchd services named `pgmon.service` or internal-monitor.service.
  1. Use the official TeamPCP scanner script for a comprehensive check
    git clone https://github.com/whpoole/teampcp_scanner
    cd teampcp_scanner
    python3 teampcp_scanner.py --system --json > results.json
    

    What this does: This scanner automatically checks for compromised binaries by hash (including Trivy v0.69.4), malicious `kics` images, CanisterSprawl npm packages, and cluster‑wide Kubernetes wipers. It also validates live C2 references in shell history and DNS cache.

What Undercode Say:

  • One compromised token can trigger a multi‑ecosystem meltdown. The TeamPCP campaign shows that a single exposed PAT or npm token is enough to poison thousands of downstream applications across languages and registries.
  • Traditional software composition analysis (SCA) is insufficient. Malware hidden in `postinstall` scripts, `.pth` files, and even WAV audio frames bypasses most static scanners; runtime behaviour monitoring and immutable version pinning are now non‑negotiable for any development pipeline.
  • The shift to ICP canisters and GitHub dead‑drops represents a resiliency breakthrough for attackers. Decentralized, blockchain‑based C2 channels are nearly impossible to take down via conventional registrar or hosting abuse reports.
  • Developers are the new supply chain backdoor. By targeting VS Code, Claude Code, and other IDE extensions, attackers are weaponizing the tools developers trust most, turning local configurations into global distribution vectors.

Prediction:

The TeamPCP campaign will likely evolve into a permanent “access‑broker as a service” model, similar to LAPSUS$. Over the next 12 months, we expect to see more threat actors adopt the ICP canister technique and cross‑ecosystem propagation, targeting AI developers specifically because their environments contain high‑value API keys to LLM providers, cloud accounts, and internal CI/CD systems. The upcoming battleground will shift from public registries to IDE marketplaces and AI workflow orchestration tools like LangChain and AutoGPT. Organizations must start treating every developer environment as a potential ingress point, enforce runtime detection for hidden scripts, and assume that any mutable reference in their CI/CD is already compromised.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Ramimac Two – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky