Shai-Hulud Worm Forges Sigstore Provenance, Infects npm and PyPI

The Shai-Hulud worm quickly spread through npm and PyPI packages, forging Sigstore provenance to look like trusted builds. Investigators say the attack mixed old account takeover tricks with new ways to hijack CI pipelines, and did not need stolen credentials at first. The worm's payloads could steal credentials, set up persistence in code editor configs, and sometimes wipe disks if the computer matched certain locations. Experts suggest this attack may have both money and geopolitical motives. It is still unclear how common forged provenance will become, but early signs show attackers may prefer tricks that fool trust checks over brute force methods.

The Shai-Hulud worm, a novel supply chain attack, is actively infecting npm and PyPI packages by forging Sigstore provenance to impersonate trusted builds. Researchers observed the worm compromise a significant number of packages within hours of its release by threat actor TeamPCP, highlighting a new level of sophistication.

Security investigators report the campaign combines traditional account takeover methods with novel CI/CD pipeline hijacking techniques. According to industry reports, a significant wave introduced malicious npm packages with valid SLSA provenance that notably required no stolen credentials for the initial breach. This evolution in tactics indicates a shift towards compromising the software verification layer, not just the code.

Attack Timeline and Scale of Infection

The Shai-Hulud worm is a supply chain attack that compromises developer accounts to inject malicious code into software packages. It hijacks CI/CD pipelines to forge Sigstore provenance, making the malicious packages appear legitimate and bypassing security checks that rely on verifiable build attestations.

The worm's propagation was exceptionally fast. Security researchers report that compromised accounts published many malicious npm releases in a short timeframe. Within 48 hours, this escalated to affect projects like TanStack and UiPath, impacting millions of cumulative downloads. Concurrently, stolen OAuth tokens from Heroku and Travis CI were used to download private repositories.

Multi-Stage Payload and Geopolitical Motives

Analysis of the worm's payload reveals a multi-stage attack strategy:

A credential stealer targeting cloud keys, cryptocurrency wallets, and CI tokens.
Persistence hooks installed in VS Code and Claude Code configuration files.
A dead-drop command channel using GitHub API commits with the label IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner.

Furthermore, incident reports confirm at least one PyPI package contained a disk wiper. This destructive component activated if the host system's locale was set to Israel or Iran, suggesting the attack may have blended geopolitical motives with financial crime.

The Threat of Forged Sigstore Provenance

Sigstore's code signing framework is intended to provide verifiable proof that a software package was created by a trusted source. By successfully forging these attestations, TeamPCP bypassed the very security gates many organizations implement for deployment. As Practical DevSecOps guidance warns, provenance forgery is a critical threat on par with direct build tampering and dependency poisoning, as it fundamentally undermines trust in the build process.

The attack exploited GitHub Actions' trusted publishing feature. According to security researchers, malicious code within a seemingly benign workflow used OpenID Connect (OIDC) to generate short-lived publishing tokens. This allowed the worm to spread without needing a maintainer's static npm token, shifting the attack surface from developer machines to the CI infrastructure itself - an often-overlooked area in security monitoring.

Industry Response and Mitigation Strategies

While maintainers acted quickly to revoke tokens and rotate secrets, SANS ISC researchers found that persistence hooks could re-execute the malware whenever an infected IDE restarted. This implies that remediation requires more than just registry cleanups; it necessitates thorough cleanup of developer workstations.

In response, security teams are focusing on several key controls:

Enforce strict provenance policies that validate the builder identity, repository URI, and commit SHA before promoting artifacts.
Limit OIDC token scopes within CI workflows and disable the pull_request_target trigger whenever possible.
Actively monitor transparency logs for anomalous signing activities or patterns.

Whether forged provenance becomes a frequent tactic remains under study. However, this incident demonstrates that attackers see value in corrupting trust signals rather than brute-forcing signatures, especially when speed and scale are priorities.

What is the Shai-Hulud worm and how fast did it spread?

The Shai-Hulud worm is a self-replicating supply-chain malware open-sourced by the threat actor TeamPCP.
Reported figures vary by source: about 314 packages were affected in ~22 minutes, with 637 - 639 malicious versions across 323 - 324 packages on May 19, 2026, and roughly 16 million weekly downloads were exposed. The attack is described as credential-harvesting and self-propagating.

How did attackers forge Sigstore provenance and why does it matter?

By hijacking GitHub Actions and abusing the "pull_request_target" trigger, the worm extracted OIDC tokens from runner memory and used them to mint short-lived npm publish tokens.
These tokens let the malware generate valid Sigstore attestations, so every poisoned package appeared to come from a trusted builder.
Because many CI/CD gates automatically accept artifacts with "verified" provenance, the forgery bypassed policy checks and eroded the trust signal that Sigstore was designed to create.

Which AI coding assistants were compromised and what was the impact?

Shai-Hulud planted persistent hooks inside Claude Code and VS Code (.vscode/tasks.json, ~/.claude/settings.json).
Whenever a developer relaunched the editor the malware re-executed a credential stealer that harvested GitHub, cloud and wallet secrets, then re-published itself through the same AI-assisted workflows - turning productivity tools into distribution engines.

Was destructive payload limited to credential theft?

No.
The PyPI package "durabletask" carried a disk-wiper that activated when the host locale matched Israeli or Iranian settings, deleting user files and Kubernetes DaemonSets.
This geopolitically keyed sabotage shows the campaign blended financial crime with targeted disruption.

What practical steps reduce the risk of similar worms?

Pin every dependency with a lock-file; never run open-range installs.
Enforce multi-factor publishing and rotate registry tokens on a schedule.
Verify Sigstore provenance against expected issuer, repository and workflow path - reject any mismatch.
Isolate CI jobs on ephemeral, minimally scoped runners and disable pull_request_target where possible.
Audit IDE extensions and agent permissions; block unsigned or newly-registered packages suggested by AI assistants.