TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)

A TeamPCP supply-chain campaign recently escalated: attackers trojanized the Checkmarx Jenkins AST plugin and deployed a self-spreading Mini Shai-Hulud worm that poisoned roughly 170 npm/PyPI packages (including high-download TanStack packages) using TanStack's CI identity and valid SLSA Build Level 3 provenance; the wave included credential theft, developer-tool persistence, and a probabilistic (1-in-6) destructive wipe targeting Israeli and Iranian locales, with confirmed indicators and active exploitation requiring urgent dependency audits, token rotation, and lockfile pinning.