Software supply chain attacks are no longer isolated incidents or niche threats targeting obscure open-source projects. Over the past year, they have evolved into a sustained, industrialized threat campaign aimed directly at developer ecosystems, CI/CD pipelines, cloud-connected repositories, and cryptocurrency infrastructure.

In recent months, multiple software supply chain attacks have targeted developer ecosystems, spanning npm, PyPI, Docker Hub, OpenVSX, Visual Studio Code Marketplace, GitHub Actions, GitHub repositories, and crates.io, with credential theft and downstream reuse of stolen access common.

At the center of this evolving landscape are clusters like TeamPCP and its Shai-Hulud worm, as well as several North Korea-linked operations that collectively illustrate how modern software supply chain compromise has become faster, more automated, and far more interconnected than previous generations of attacks.

TeamPCP and Shai-Hulud: The rise of worm-like supply chain malware

One of the defining themes across recent campaigns is the emergence of malware designed not simply to infect, but to propagate. One notable malware that stands out is Shai-Hulud, a credential stealer attributed to the threat actor TeamPCP, who has been using the malware since at least mid-2025 to target GitHub Actions, npm, Docker Hub, OpenVSX, VS Code extensions, and even internal GitHub repositories. However, Shai-Hulud is not the only worm in TeamPCP’s arsenal. In March 2026, the group also launched a large-scale supply chain attack involving CanisterWorm, which not only steals credentials or installs backdoors, but also wipes entire Kubernetes clusters.

By May, the group escalated its activity by leaking the source code of its malware and calling on other hackers to conduct large-scale supply chain attacks. The leaked code reflects previously observed Shai-Hulud behavior, including credential theft and exfiltration workflows that upload stolen data to GitHub repositories, send information to a predefined C2 server, and target secrets such as credentials and cryptocurrency wallets. The public release of the source code will likely spawn copycat operations that could be equally damaging.

Mini Shai-Hulud

In parallel, TeamPCP continued its attack spree in what many refer to as a Mini Shai-Hulud wave. What began as isolated compromises quickly expanded across ecosystems affecting SAP-related npm packages, Bitwarden CLI, TanStack-related packages, node-ipc, and more recently the large-scale AntV ecosystem compromise. The TanStack incident impacted several major companies, including Nx, OpenAI, Mistral AI, and Grafana Labs. In the Nx case, the attackers used the gained access to upload a trojanized Nx Console Visual Studio Code extension, which in turn infected a GitHub employee device. The extension was reportedly only live for 18 minutes, showing just how fast an attack can travel down the supply chain.

The AntV incident has likely been the largest in scale to date, with the attackers leveraging a compromised maintainer account to publish malicious updates to hundreds of packages. The scale of the AntV incident forced npm to invalidate granular write tokens that bypassed two-factor authentication. Maintainers across the ecosystem were urged to rotate tokens and strengthen publishing protections immediately.

One of the most striking aspects of the campaign was its extensive use of legitimate platforms for C2 and exfiltration. Rather than relying exclusively on traditional malware infrastructure, the attackers used GitHub repositories as dead-drop locations for stolen data. In some cases, more than 2,500 public repositories were reportedly created using compromised GitHub tokens for this purpose.

Other exfiltration traffic blended into legitimate services by disguising HTTPS communications as OpenTelemetry traffic. Earlier TeamPCP activity also leveraged Internet Computer Protocol canisters as resilient dead-drop infrastructure.

Contagious Interview – Developer recruitment as an attack vector continues

Not every campaign relied on compromised maintainers or stolen publisher credentials. The Contagious Interview campaign, largely attributed to North Korean hackers like Lazarus, Famous Chollima, STARDUST CHOLLIMA, UNC1069, and PolinRider, represents a parallel but equally dangerous evolution in developer targeting. Rather than exploiting publishing infrastructure directly, attackers pose as recruiters and deliver malicious coding challenges, interview tools, and repository tasks to developers.

Contagious Interview is not new, in fact it’s been ongoing since at least late 2022, but the attack techniques appear to still be successful. Victims are lured into running poisoned repositories hosted on GitHub, GitLab, or Bitbucket, often with malicious VS Code tasks embedded inside the projects themselves. Once developers grant repository permissions or execute the tasks, the malware deploys remote access trojans, infostealers, and credential theft tooling. The campaign mostly focuses on cryptocurrency developers and firms, blending traditional social engineering with open-source package abuse and trojanized SDKs.

Beyond TeamPCP and Contagious Interview: A growing ecosystem of threat actors

TeamPCP/Mini Shai-Hulud and Contagious Interview are only part of a much larger ecosystem of supply chain threats. Campaigns linked to TrapDoor, GlassWorm, JINX-0164, and several dependency confusion operations demonstrate that financially motivated actors, opportunistic attackers, and experimental malware developers are all converging on the same attack surface, namely developer trust paths.

TrapDoor, for example, distributed crypto-stealing packages across npm, PyPI, and crates.io while embedding persistence mechanisms into shell profiles, Git hooks, cron jobs, AI tooling configurations, and SSH propagation logic. GlassWorm, whose botnet operations were recently disrupted, combined trojanized OpenVSX extensions with compromised npm and Python packages and ultimately poisoned more than 300 GitHub repositories using stolen credentials. JINX-0164 not only uses supply chain compromise but also social engineering to disseminate malware that targets secrets from CI/CD pipelines.

In fact, attackers appear to increasingly target the CI/CD workflow design itself. The TanStack-related incidents showed how poisoned caches and unsafe ‘pull_request_target’ workflows could enable malicious publication without directly compromising maintainers at all. Such supply chain attacks are appearing near daily in recent weeks, indicating a broader shift from targeting individuals to automation, workflow trust assumptions, and shared build states more generally.

AI Tooling Becomes the Next Target

Another notable development in recent campaigns is the growing focus on AI-assisted development environments. Multiple incidents have involved tampering with Claude Code configurations, poisoning AI-agent workflows, modifying model context settings, or inserting malicious instruction files into repositories.

As AI tools become more deeply integrated into development pipelines, they are increasingly being treated as another privileged trust boundary, one capable of exposing secrets, executing workflows, or influencing downstream code generation.

Closing thoughts: Malware attacks on the developer supply chain

Supply chain attacks are likely to remain high-tempo, adaptive, and deeply focused on trusted developer infrastructure. While identified malicious extensions and packages are removed as soon as possible, the automated nature of such projects means that even if they are only live briefly, they can still have a significant disruptive effect downstream. When it comes to defensive measures, things like multi-factor authentication enforcement, reduction of long-lived credentials, hardening GitHub Actions workflows, and minimizing CI/CD token permissions are often cited. Generally, organizations will need to stop treating package management, developer endpoints, CI/CD systems, and cloud identity as separate security domains. Modern supply chain attacks thrive precisely because those environments are so interconnected.

Note: The reporting period has a cut-off of May 29th, 2026. The campaigns remain ongoing, with new variants already observed.


To see how Silobreaker connects threat actor clusters, malicious packages, and campaign timelines into a single intelligence view, book your demo