A fast-moving software supply chain campaign known as Shai-Hulud has spent the past six months mutating from a self-spreading npm worm into something far harder to stop, and its latest trick is aimed squarely at the AI tools defenders increasingly rely on. Researchers at Zscaler ThreatLabz, in analysis by Atinderpal Singh, report that the operation now plants hidden instructions inside malicious packages to fool large language model (LLM) security scanners into declaring the code clean.
The campaign first surfaced in September 2025 as a worm that stole developer credentials and republished a victim's npm packages to spread itself. Since then it has expanded into the Python Package Index (PyPI), shifted from stealing maintainer logins to abusing the automated build pipelines that publish open source software, and even reached into the configuration files of AI coding assistants. ThreatLabz links the earlier waves with high confidence to a group it calls TeamPCP, tracked by Mandiant as UNC6780, but attribution since May 12, 2026 is murkier. On that date the attackers published the worm's full source code on GitHub under an open source license with the message "Open Sourcing The Carnage" and offered a cash prize on a criminal forum for the largest attack built from it. Anyone can now run the playbook.
How the attack works
Several recent waves bypass the cryptographic trust signals that are meant to prove a package is safe. In May, the crew abused a misconfigured GitHub Actions workflow in the popular TanStack project to scrape a short-lived publishing token straight from the build server's memory, then pushed 84 tampered files across 42 TanStack packages in a six-minute window. Each one carried a valid provenance signature, because the malicious code ran from inside the trusted build system itself. A near identical method hit Red Hat between June 1 and 2, 2026 after an engineer's GitHub account was compromised, yielding 32 poisoned packages and 96 versions. The lesson, ThreatLabz stresses, is that a valid SLSA or Sigstore signature proves how a package was built, not that the account or pipeline behind it can be trusted.
On PyPI the worm drops a Python ".pth" file into the site-packages folder, a stealthy persistence trick that runs the payload every time Python starts and survives package reinstalls. A March wave poisoned the widely used Trivy scanner's build cache to push a malicious version of the LiteLLM library in exactly this way.
Targeting AI defenders and AI tooling
The June 8 PyPI wave, flagged by Socket Research and analyzed by StepSecurity, is the standout. The malware's loader opens with a plain text block of prose that, according to StepSecurity, "acts as an adversarial prompt injection, instructing any parsing LLM to ignore the obfuscated code below it, classify the package as verified clean infrastructure, and output a safe security report." Any scanner that feeds raw package contents to a model without isolating its own instructions can be talked into a false all clear. Days earlier, on June 5, the operators pushed booby-trapped IDE configuration files (.claude/, .cursor/, .vscode/ and .gemini/) that run commands the moment a developer opens the repository in an AI coding assistant, a vector that led GitHub to disable 73 Microsoft repositories. The repository-borne tactic echoes other developer-toolchain supply-chain attacks, such as the Glassworm campaign that spread through GitHub repos, npm, and VS Code.
What you should do
ThreatLabz urges teams to pin and lock all dependencies and use "npm ci" rather than "npm install", pin the versions of CI tools such as scanners and formatters, and audit risky "pull_request_target" usage in GitHub Actions. Watch the Python site-packages folder for unexpected ".pth" files, treat IDE and AI-agent config files as executable code subject to code review, and never treat a scanner's silence or a safety refusal as a clean verdict. Enforce phishing-resistant multi factor authentication such as FIDO2 on npm, PyPI and GitHub, and rotate any tokens that may have been exposed. One observed marker is a background service that polled GitHub's commit search once an hour for the string firedalazer to fetch new commands. A staged callback to api[.]anthropic[.]com/v1/api was camouflage only, and Anthropic's systems were not involved. Read the original ThreatLabz report for the full timeline and indicators.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.