Shai-Hulud: The Worm That Ate the Software Supply Chain (TeamPCP)
If you work anywhere near open-source infrastructure, CI/CD pipelines, or cloud-native tooling, you need to know about the Mini Shai-Hulud worm. Named after the colossal sandworms of Frank Herbert’s Dune, this self-propagating malware—deployed by the threat actor group TeamPCP—burrowed through the npm and PyPI ecosystems in May 2026, compromising hundreds of packages and turning trusted developer tooling into a weapon. This is not a theoretical supply chain risk. This is one of the most sophisticated attacks the open-source ecosystem has ever faced....