{"name":"Mini Shai-Hulud - campaign","description":"# Executive Threat Brief (CISO / Executive Leadership)\n\n## Campaign Snapshot\n\nMini Shai-Hulud is an active npm and PyPI supply chain worm attributed to TeamPCP — the same group responsible for the Trivy, Checkmarx KICS, and LiteLLM compromises. Entry was gained through an orphaned commit in a TanStack CI workflow that still held OIDC trust federation with npm. No credentials were stolen. No maintainer was phished. The attacker extracted a short-lived OIDC JWT from a GitHub Actions runner process and exchanged it for authenticated publish access to the entire TanStack package namespace. From that foothold, the worm self-propagated: every infected CI run became a new publisher, minting fresh tokens and republishing infected versions under stolen maintainer identities — all with valid Sigstore provenance attestations attached. In under 24 hours, 170 npm packages across 19 namespaces and 2 PyPI packages were compromised. No CVE has been assigned.\n\nBusiness risk is immediate and multi-dimensional. The preinstall hook fires on `npm install` — the package does not need to be imported. Every CI runner that resolved a compromised version during May 10–12, 2026 should be treated as fully compromised: GitHub tokens, AWS credentials, Kubernetes service account tokens, HashiCorp Vault tokens, and Docker registry credentials are all in scope for rotation. Persistence lands in Claude Code hook directories (`.claude/`) and VS Code task runners (`.vscode/tasks.json`). `npm uninstall` does not remove these. The worm re-executes on every developer tool invocation until the hook files are explicitly cleaned.\n\nExfiltration runs through the Session decentralized P2P messaging network — not HTTP C2. Network-layer detection tools that rely on domain reputation scoring have no visibility into this channel. DNS-level blocking of `filev2.getsession.org` and the Session bootstrap nodes is the only practical perimeter control."}