Shai-Hulud Worm Steals Developer Secrets from GitHub Kubernetes

Shai-Hulud, a newly discovered and dangerous malware, has quickly distinguished itself as one of the most alarming supply chain threats identified in 2026.

It is a self-propagating worm that quietly tunnels through developer environments, stealing credentials from npm, GitHub, AWS, and Kubernetes all at once.

Hundreds of malicious packages have already been tied to this campaign, making it one of the largest npm supply chain attacks in recent memory.

The malware takes its name from the giant sandworm in the science fiction novel Dune, a creature known for devouring everything in its path.

That name was not chosen by accident. Shai-Hulud was built specifically to devour every sensitive credential it can find, from cloud access keys to authentication tokens buried deep in CI/CD pipelines.

Analysts at SlowMist said in a report shared with Cyber Security News (CSN) that with the help of their MistEye threat intelligence system they identified the malware and issued multiple warnings after the threat surfaced publicly.

Their investigation revealed that a threat actor group known as TeamPCP did something that shocked the security community on May 12: they deliberately released the full source code of Shai-Hulud on GitHub.

Shai-Hulud Worm: Stealing Secrets From Developer Environments

Rather than a slip-up, this was a calculated “capability diffusion” move designed to multiply the number of attackers who could deploy the tool.

TeamPCP spread the malware through hacked GitHub accounts, attached a full deployment manual to the repositories, and even titled their uploads “A Gift From TeamPCP” with a tone of open mockery.

Security researchers quickly noticed that forks and copycat repositories began appearing almost immediately, with other threat actors modifying the code and expanding its reach across the ecosystem.

The situation escalated further when one forker submitted a pull request to add FreeBSD support, widening the potential target base even more.

The threat has effectively shifted from a tool controlled by one group to something anyone with basic technical knowledge can now deploy independently.

Shai-Hulud operates through a four-layer attack architecture that is notably sophisticated for an open-source malware project.

Once it lands on a system, it immediately sweeps through local files, the GitHub command-line interface, AWS cloud metadata endpoints, Kubernetes service account tokens, and stored API secrets.

All stolen data is then encrypted and sent over HTTPS to the attacker’s command-and-control server before the victim realizes anything went wrong.

The worm’s supply chain implantation step makes it especially dangerous. Once it captures an npm token, it rewrites the victim’s packages, injects malicious code into them, and publishes the poisoned versions to the npm registry.

This means every developer who installs one of those compromised packages becomes the next target, allowing the worm to spread itself automatically across the ecosystem.

The malware’s C2 domain, git-tanstack.com, was deliberately designed to impersonate the legitimate tanstack.com domain, making malicious traffic look like routine network activity to anyone monitoring connections.

Targeting Claude Code and Evading Detection

One of the most unusual aspects of this malware is that it specifically targets Claude Code, the AI coding assistant widely used on developer workstations.

Shai-Hulud modifies Claude’s configuration files and injects execution hooks so that malicious code runs automatically whenever Claude starts.

It also embeds a special string, what researchers call an “Anthropic Magic String,” that tricks Claude into skipping analysis of the malicious account, effectively blinding the AI tool to its own compromise.

The malware also contains logic that skips devices running Russian-language system locales. SlowMist analysts noted this likely points to ties between the developers and Russian-speaking regions, a common pattern seen in financially motivated threat groups.

To protect against this threat, security teams and developers should audit all recent GitHub Actions workflows for unauthorized changes, rotate any npm tokens, GitHub tokens, and AWS credentials that may have been exposed, and check Claude configuration files for unauthorized modifications.

Enterprises should enforce code signing for internal npm packages and enable anomaly detection on CI/CD pipelines to catch unauthorized secret access before it leads to a full breach.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.