TeamPCP now operates across three package ecosystems in parallel, it reached GitHub's own internal codebase, it trojanized an officially Microsoft-published Python SDK, and it appears to have open-sourced its own framework on GitHub.

Bottom line up front

Three escalations stacked inside a single week. First, GitHub's CISO Alexis Wales publicly named a malicious Nx Console VS Code extension build (v18.95.0, publisher nrwl.angular-console, verified-publisher badge, roughly 2.2 million installs) as the root of an intrusion that exfiltrated approximately 3,800 GitHub-internal repositories; OpenAI, Grafana Labs, and Mistral AI were named as downstream victims. The poisoned extension was live on the Visual Studio Marketplace for roughly 18 minutes. Second, an officially Microsoft-published Python SDK on PyPI (durabletask, the Azure Durable Functions client, roughly 417,000 monthly downloads) was trojanized across three versions (1.4.1 through 1.4.3) inside an approximately 35-minute window, and independent reporting characterizes the second-stage payload as carrying a Linux disk wiper. Third, the same operator pushed a third Mini Shai-Hulud wave through the @antv npm ecosystem: 639 malicious package versions across 323 packages, including echarts-for-react (roughly 1.1 million weekly downloads) and size-sensor (roughly 4.2 million weekly downloads). Action: rotate any developer or CI/CD credentials exposed during the windows below, stop treating publisher-verified or attestation badges as install-time safety signals, and inspect AI coding agent configuration files for persistence.

How this developed

The week opened with a credentials-to-publish chain that nobody had previously walked end-to-end in public. Reporting from BleepingComputer and Help Net Security ties OIDC credentials harvested in the May 11 TanStack wave to the Nx Console publish on May 18, which means the same operator that built the worm two weeks earlier used its loot to push a trojanized VS Code extension through a verified-publisher account. In parallel, the same operator poisoned the @antv npm ecosystem through a compromised maintainer account ("atool") and dropped a trojanized build of Microsoft's own durabletask SDK on PyPI. Within 72 hours, GitHub itself, Microsoft, and several named AI-lab developer endpoints were affected. By Friday, multiple vendors reported the Shai-Hulud framework source had been published to GitHub, and copycat forks were already running.

What changed, by theme

The GitHub-internal breach: a multi-stage operation that worked

Takeaway: TanStack-harvested credentials from May 11 were used to publish the trojanized Nx Console extension that breached GitHub itself. This is the first publicly confirmed multi-stage operation in the campaign.

On 2026-05-18 a malicious build of the Nx Console VS Code extension (v18.95.0, publisher nrwl.angular-console) was published to the Visual Studio Marketplace and was live for approximately 18 minutes before it was pulled. Per Help Net Security and OX Security, an Nx maintainer credential was used to publish; per BleepingComputer, that credential traces back to the TanStack OIDC abuse chain tracked as CVE-2026-45321. On a GitHub employee endpoint, the extension auto-updated during the 18-minute window, exfiltrated developer secrets, and was then used to move laterally through GitHub's internal CI/CD. The intrusion exfiltrated approximately 3,800 GitHub-internal repositories before containment; reporting suggests no customer-tenant data was affected. On 2026-05-21, GitHub CISO Alexis Wales publicly named Nx Console as the root and confirmed OpenAI, Grafana Labs, and Mistral AI as named downstream victims whose developers had auto-update enabled.

The practical lesson is uncomfortable: the malicious extension carried the Visual Studio Marketplace verified-publisher badge. Treating that badge as a safety signal at install time would not have prevented this intrusion. A publisher account being legitimate and a specific publish event being legitimate are different claims, and the campaign now operationalizes that gap.

The official Microsoft SDK: durabletask 1.4.1 through 1.4.3

Takeaway: For the first time in this campaign, an officially Microsoft-published package surface was trojanized. The second-stage payload reportedly carries a Linux disk wiper.

Three malicious versions of the durabletask Python client (Microsoft's official Azure Durable Functions SDK, roughly 417,000 monthly downloads) were published to PyPI on 2026-05-19 and yanked within hours. Per Wiz, Aikido, and Endor Labs, the dropper is injected into the package's Python source files, so importing the SDK is sufficient to execute it. The second stage is a credential stealer and worm that targets AWS, Azure, GCP, HashiCorp Vault, 1Password, and Bitwarden, and that propagates inside cloud environments via AWS SSM (inside EC2) and kubectl exec (inside Kubernetes). iTnews reporting characterizes the second stage as carrying a Linux disk wiper, materially extending the campaign's destructive capability beyond the W20 1-in-6 locale-conditional wipe.

If any team installed durabletask versions 1.4.1, 1.4.2, or 1.4.3 on 2026-05-19, the import alone is the trigger. Treat any environment that pulled one of those builds as exposed, including ephemeral CI runners.

The @antv npm wave: the largest single burst by package count

Takeaway: 639 malicious versions across 323 packages, including echarts-for-react (roughly 1.1 million weekly downloads). Forty-two of the malicious packages were observed displaying fake Sigstore verification badges in the npm UI.

On 2026-05-19, a compromised maintainer account ("atool") published a third Mini Shai-Hulud wave across the @antv ecosystem. Independent counts from StepSecurity, Snyk, and Socket agree on 639 malicious versions across 323 packages, which makes this the largest single-hour Shai-Hulud burst the campaign has produced. The roughly 499 KB obfuscated JavaScript payload runs during npm install and harvests more than 20 credential classes: GitHub and npm tokens, AWS keys, GCP and Azure tokens, SSH keys, Kubernetes service accounts, HashiCorp Vault secrets, Stripe API keys, and local password vaults from 1Password and Bitwarden. The persistence vector first seen in the TanStack wave (.vscode/tasks.json and ~/.claude/settings.json) continues here.

Endor Labs flagged a previously unreported primitive in this wave: 42 of the malicious packages displayed forged Sigstore verification badges in the npm UI. This pairs poorly with the W20 finding that the prior wave shipped valid SLSA Build Level 3 provenance. Read together, provenance is now being attacked from two directions at once: real attestations produced by hijacked release pipelines, and fake attestations rendered by the registry UI. Pin exact versions and verify lockfile hashes; do not rely on either visual indicator. Per The Hacker News, the GitHub cleanup invalidated roughly 61,274 npm granular access tokens that had write permissions and 2FA bypass.

The framework code drop

Takeaway: Multiple vendors reported on 2026-05-22 that the Shai-Hulud framework source was published to GitHub. Copycat forks were running within hours.

Datadog Security Labs published a static analysis of a public GitHub repository containing what appears to be the complete TeamPCP framework: a modular TypeScript/Bun toolkit for credential harvesting, supply chain poisoning, and encrypted exfiltration. The repository README explicitly carries the strings "Love - TeamPCP" and "Change keys and C2 as needed." OX Security and ReversingLabs corroborated, and OX subsequently documented the first observed deployments from forks. At least three forks had appeared by Datadog's analysis, including one adding FreeBSD support.

For defenders, the practical effect is attribution noise. Detection patterns built on framework artifacts (PBKDF2 salt strings, dead-drop string lineage, GitHub repository naming conventions including the reversed-string "niagA oG eW ereH :duluH-iahS") will now also fire on copycat operators with no operational connection to TeamPCP. Behavioral indicators (writes to ~/.claude/settings.json and .vscode/tasks.json, large 2FA-bypassing token harvests, and Session messenger exfiltration to filev2[.]getsession[.]org and seed1[.]getsession[.]org) remain the more durable detection surface.

Microsoft broke its silence; CISA did not

Takeaway: Microsoft publicly and prominently entered the response coalition. CISA did not add CVE-2026-45321 to the Known Exploited Vulnerabilities catalog in either of the two W21 update tranches.

On 2026-05-20 the Microsoft Security Blog published "Mini Shai-Hulud: Compromised @antv npm packages enable CI/CD credential theft," the first formal Microsoft Security Blog post tied to this campaign in 2026. The next day, GitHub's CISO posted publicly on the Nx Console root cause and named downstream victims. Together, these break the multi-week Microsoft silence that prior weekly updates had flagged as anomalous.

Federal posture moved the other way. CISA added nine vulnerabilities to the Known Exploited Vulnerabilities catalog inside W21 across two tranches (seven on 2026-05-20 and two on 2026-05-21) and added none of the campaign's tracking identifiers. CVE-2026-45321 is now absent from the KEV catalog despite the GitHub-internal-codebase intrusion, the Microsoft Security Blog publication, the named impact to OpenAI, Grafana Labs, and Mistral AI, and the trojanization of an officially Microsoft-maintained Python SDK. The continued KEV silence is itself the watch item; it is now the longest such gap of the campaign.

Monetization stays frozen

Takeaway: Vect and CipherForce remained inactive through the window.

Direct fetches on 2026-05-24 confirm Vect's victim count unchanged at 25 (most recent posting 2026-04-15, approximately 40 days inactive) and CipherForce inactive at 91 days with 6 victims unchanged. Combined with the earlier Check Point disclosure of cryptographic flaws in Vect 2.0, the affiliate-ransomware monetization channel remains impaired even as the supply chain operation reached new highs.

What defenders should do now

• Inventory installs of the Nx Console VS Code extension v18.95.0 (publisher nrwl.angular-console) on developer endpoints with auto-update enabled. Treat any endpoint that pulled v18.95.0 during the 2026-05-18 Marketplace window as exposed.
• Inventory durabletask installs of versions 1.4.1, 1.4.2, or 1.4.3 (PyPI) from 2026-05-19. Treat any environment that imported one of those builds as exposed, including ephemeral CI runners.
• Inventory @antv/* installs and the named packages (echarts-for-react, size-sensor, timeago.js) from the 2026-05-19 window. Tokens, npm credentials, AWS, GCP, Azure, Vault, 1Password, and Bitwarden vaults from affected hosts should be rotated.
• Rotate any developer or CI/CD credentials that touched the affected extensions or packages, including GitHub PATs, npm granular access tokens, and cloud provider credentials.
• Do not treat the Visual Studio Marketplace verified-publisher badge or npm Sigstore verification badges as install-time safety signals. Pin exact versions and verify lockfile hashes against a known-good baseline.
• Inspect developer endpoints for persistence in ~/.claude/settings.json and .vscode/tasks.json.
• For Kubernetes-attached workloads, audit recent kubectl exec and AWS SSM session history for anomalous activity from compute that ran any of the affected packages.

Watch items

• A CISA Known Exploited Vulnerabilities addition for CVE-2026-45321, a standalone TeamPCP advisory, or a joint advisory with NSA, FBI, or NCSC-UK. After two W21 KEV tranches that excluded the campaign's tracking CVE despite the GitHub-internal breach and the durabletask trojanization, the continued silence is the watch item.
• A Mandiant or Google Threat Intelligence Group named-actor product on UNC6780 covering the @antv wave, the durabletask compromise, or the Nx Console publish chain. Technical attribution still rests on StepSecurity, Wiz, Snyk, Socket, the Microsoft Security Blog, and the GitHub CISO statement.
• A formal GitHub incident report or Security Bulletin, including indicators of compromise and a detailed timeline of the May 18 Visual Studio Marketplace publish window. Any Microsoft response on Marketplace publisher-trust validation, given the verified-publisher badge on the malicious build, would be material.
• Named copycat-operator deployments from forks of the leaked framework, and any operational-confusion incident in which a fork's activity is misattributed to TeamPCP itself.
• Any verified disk-wipe incident tied to the durabletask Linux wiper or the @antv-wave payload, particularly a CERT-IL or CERT-IR advisory in response to vendor IR engagements disclosing data loss.