Shai-Hulud code drop: It’s open season

TeamPCP publicly released the Shai-Hulud malware source code and researchers observed an active supply-chain campaign (the “Mini Shai-Hulud” attacks) that has compromised 150+ npm and PyPI packages; Shai-Hulud is a comprehensive offensive framework that harvests secrets (GitHub tokens, cloud credentials, npm tokens), poisons CI/CD pipelines and packages, persists via background services and a deadman switch, and exfiltrates data to attacker-controlled endpoints, substantially raising the risk of widespread, reusable supply-chain compromises and copycat variants.