TeamPCP Releases Shai-Hulud Worm Source Code, Invites Supply Chain Attacks with Monetary Rewards

TeamPCP, the threat actor behind the Shai-Hulud supply chain worm already used against Bitwarden, TanStack, and OpenAI’s corporate environment, publicly released the worm’s full source code. The group is actively recruiting other threat actors to deploy it in new supply chain attacks and offering monetary rewards for successful compromises. Open-sourcing this tooling dramatically lowers the barrier for copycat campaigns targeting npm and potentially other package ecosystems. Security teams should increase scrutiny of newly published and recently updated packages, enforce lock-file pinning in CI/CD pipelines, and verify package checksums against trusted registries before deployment.