"Shai-Hulud: Open Sourcing The Carnage Is it vibe coded? Yes. Does it work? Let results speak. Change keys and C2 as needed. Love - TeamPCP" — the message appears verbatim inside two GitHub repositories linked to the malware crew TeamPCP, security researchers told The Register after Ox spotted the repos on Tuesday.
Ox's discovery and The Register's checks
Security outfit Ox identified a pair of GitHub repositories that contain the Shai-Hulud source and the message above. The Register inspected those repos a few hours before publishing and reported fork counts at that moment as one and 31; at the time of writing those numbers had grown to five and 39. Ox warned that “independent threat actors have already begun modifying it and expanding its reach.”
Ox's reading of the code: familiar patterns and credential exfiltration
Ox analysts who reviewed the repositories said the source code displays “the same patterns from previous Shai-Hulud attacks [that] are immediately recognizable, as expected.” Their review identified behavior consistent with past incidents, including uploading stolen credentials to a new GitHub repository, a tactic Ox highlighted specifically.
How Shai-Hulud operates against the software supply chain
The worm targets npm packages. If it successfully infects a package, it searches for credentials belonging to users of AWS, GCP, Azure, and GitHub. When Shai-Hulud gains credentials, it creates and publishes poisoned code to perpetuate its own spread. If the malware cannot achieve its objectives, it sometimes attempts to wipe the local environment in a self-destructive act.
Forks, copycats and a suspicious FreeBSD pull request
Researchers first found Shai-Hulud in September 2025, and a more powerful variant appeared in November 2025. Since then, imitators have produced copycat malware and the original has “rampaged its way across the internet,” the reporting notes. TeamPCP’s decision to publish the code under the permissive MIT License — allowing broad reuse — appears to have accelerated that trend.
Ox noted additional GitHub activity that raised flags: a user named “agwagwagwa” had forked the malware and submitted a pull request adding FreeBSD support. Ox observed that “TeamPCP’s theme is cats, and agwagwagwa’s GitHub account has a ‘meow!’ repository inside,” and although “we can’t know for sure” whether agwagwagwa is part of TeamPCP, Ox called the connection “very, very suspicious.”
What this means for GitHub, open-source maintainers, and enterprises
- GitHub / Microsoft: The repos containing Shai-Hulud had been online for at least 12 hours at the time of reporting, and “Microsoft’s GitHub appears not to have intervened,” according to The Register. The continued availability of the code under an MIT License raises questions about platform response and takedown decisions.
- Open-source maintainers: The worm’s tactic of poisoning npm packages after harvesting cloud and GitHub credentials places maintainers at risk of unexpected supply-chain contamination if malicious actors reuse the released code.
- Enterprises and cloud users: Because Shai-Hulud looks specifically for AWS, GCP, Azure, and GitHub credentials, organizations that rely on those services face a heightened risk that stolen credentials could be used to publish compromised packages or otherwise propagate malicious changes.
Ox summarized the strategic shift in blunt terms: “TeamPCP isn’t just spreading malware anymore – they’re spreading capability. By going open source, they’ve handed any willing actor the tools to build their own variant. The copycats are already here.” That judgment, together with the rapid rise in forks and an apparent lack of platform intervention, leaves a narrow window for defenders to detect and disrupt new variants before they are incorporated into the supply chain.
Source: The Register — Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub
