TeamPCP Supply Chain Campaign: Activity Through 2026-06-07, (Mon, Jun 8th)

This diary reports that CISA added multiple TeamPCP-related CVEs to the KEV catalog and issued an advisory after Nx Console and GitHub repository compromises, while the public release of the Mini Shai-Hulud framework coincided with large npm waves (Wiz’s "Miasma" and StepSecurity’s "Phantom Gyp") that delivered credential-stealing worms via subverted CI pipelines and install-time hooks (including binding.gyp/node-gyp abuse), impacting dozens of packages and many malicious versions; vendors confirm Mini Shai-Hulud lineage but warn copycats are possible, and defenders are advised to rotate CI/CD secrets, review logs, and monitor install-time behavior beyond package.json.