Shai-Hulud Part 2: When the Worm Forged Its Own Security Certificate by Lucie Cardiet

The report dissects the Shai-Hulud supply-chain worm (open-sourced by TeamPCP) which extracts GitHub Actions OIDC tokens from runner memory to request Sigstore Fulcio certificates and cosign SLSA Build Level 3 attestations, enabling poisoned packages to appear legitimately signed; a May 2026 campaign affected TanStack and over 170 packages (401 malicious versions). It explains why provenance checks fail (the attestation is accurate about identity but cannot attest to intended code), outlines behavioral detection signals spanning GitHub, Sigstore, and npm logs, and warns that public release of the toolkit will enable rapid, cross-platform proliferation and make signature-based scanning ineffective.