#Malware

TeamPCP open-sources Shai-Hulud worm; BreachForums runs paid attack challenge

May 12: TeamPCP open-sourced the Shai-Hulud worm on GitHub. Datadog mapped its module pipeline (Loader/Provider/Collector/Dispatcher/Sender/Mutator) and Claude Code SessionStart hook for persistence. May 15: BreachForums opened a paid attack challenge. Detection notes for the copycat wave.

node-ipc 9.x/12.0.1 stealer on require(): 12.0.1 hash-gated, not postinstall

Malicious node-ipc 9.1.6/9.2.3/12.0.1 fire on require(), not postinstall. 12.0.1 is SHA-256 gated (targeted), so a working app isn't safe. Exfils dev/CI secrets via DNS TXT.

PCPJack credential stealer chains 5 CVEs to worm through Docker, Kubernetes, Redis, and RayML

SentinelOne's PCPJack report broken down: initial access via Next.js and WordPress CVEs, lateral movement through Docker sockets, Kubernetes Secrets, Redis cron rewrite, and RayML job injection. IOCs and hardening steps included.

Vercel's April 23 Update Confirms a Pre-existing Compromise Separate from Context.ai—Lumma Stealer Suspected of Targeting Vercel Tokens Directly

In its April 23 update, Vercel disclosed customer accounts compromised prior to and independently of the Context.ai incident. Covering the Lumma Stealer infection path, the ShinyHunters $2M BreachForums listing, and what non-sensitive environment variables actually mean.

GlassWorm now uses Zig-compiled native droppers to infect every IDE on a machine

The latest GlassWorm wave bundles Zig-compiled native binaries in an Open VSX extension and silently installs a second-stage payload across VS Code, Cursor, Windsurf, VSCodium, and Positron.

36 fake Strapi plugins on npm targeted a crypto exchange with Redis RCE and PostgreSQL credential theft

36 malicious npm packages disguised as Strapi CMS plugins were published by 4 sock-puppet accounts. 8 payload variants deployed Redis crontab injection, PostgreSQL direct access, reverse shells, and persistent implants. The target appears to be crypto exchange Guardarian.

axios maintainer explains North Korean UNC1069's social engineering playbook: fake Slack invite, then a Teams call that delivered a RAT

The axios postmortem from maintainer Jason Saayman lays out the full social-engineering chain: a fake company Slack workspace, a fake Teams meeting, and a RAT that took over the machine. 2FA and OIDC were both bypassed.

Axios with 100 million weekly downloads was hijacked by npm and a cross-platform RAT was launched

A fake dependency plain-crypto-js was injected into axios 1.14.1 and 0.30.4 to install a RAT dropper via a postinstall hook. Complete attack chain from maintainer account compromise to C2 communication and self-deletion.

TeamPCP infected telnyx Python SDK with PyPI and stole API credentials with payload embedded in WAV audio

On March 27, 2026, telnyx Python SDK v4.87.1/4.87.2 was contaminated with PyPI. TeamPCP collects authentication information for OpenAI, Anthropic, AWS, and GCP by hiding payloads in WAV files. 742K downloads per month.

TeamPCP poisoned the LiteLLM PyPI package and embedded malware that steals more than 50 kinds of credentials

LiteLLM 1.82.7 and 1.82.8 were poisoned on PyPI for about 46 minutes. TeamPCP stole a PyPI token through Trivy's CI/CD and injected malware that collects more than 50 credential types, including SSH keys, AWS, Kubernetes, and Docker secrets.

GlassWorm surges on Open VSX, and the campaign has evolved into transitive infection through extension dependencies

GlassWorm has expanded to 72 Open VSX extensions, 151 GitHub repositories, and 88 npm packages, while a new supply-chain technique now abuses extensionDependencies as a delivery channel.

“StegaBin” hides C2 with Pastebin zero-width characters and distributes malicious npm packages

North Korean Famous Chollima has released 26 npm packages as an extension of the Contagious Interview campaign. Hiding C2 with zero-width Unicode characters in a Pastebin essay and deploying a 9-module RAT via 31 Vercel deployments.