TeamPCP / Mini Shai-Hulud - Developer Supply-Chain Scope Expansion
UPDATE: TeamPCP / Mini Shai-Hulud Expands Across Trusted Developer Channels
Confidence: Medium
Previously covered 24 May 2026; today's delta: the 26 May intelligence sweep records explicit scopeexpanded and newvictim proof for additional named downstream exposure.
The publishable story today is not a new campaign. It is a material scope update to the already-tracked TeamPCP / Mini Shai-Hulud developer-supply-chain campaign. SANS ISC reporting expands the known exposure set to GitHub internal repositories, Microsoft-published PyPI durabletask versions 1.4.1, 1.4.2, and 1.4.3, OpenAI, Grafana Labs, and Mistral AI.
That combination matters because it crosses several trust boundaries at once. The same update ties the activity to nrwl.angular-console / Nx Console VS Code extension v18.95.0 and @antv npm package activity. For defenders, the practical risk is not just whether one package was malicious. It is whether developer workstations, CI jobs, repositories, cloud credentials, and AI-assistant configuration files were exposed during the relevant install windows.
a13e rates the update medium confidence. The material-update proof is present in today's collected reporting, but there is no fresh UK or EU Tier-0 advisory in the corpus, and some adjacent breach and supply-chain leads remain feed-line-only or blocked by fetch limits. That keeps the recommendation focused: check exposure paths and rotate secrets where plausible, but do not inflate watchlist items into confirmed findings.
Watchlist Items Kept Out Of Today's Findings
Confidence: Medium
a13e deliberately holds several high-interest items below the publication threshold. TrapDoor, Laravel-Lang, Packagist package reporting, the UK water-firm breach lead, Megalodon / GitHub repository reporting, DocketWise, Radiology Associates, Oncology Institute, npm control changes, and X-only ransomware claims remain watchlist or context items.
The reason is consistent: the accessible corpus lacks a second source, vendor notice, registry action, technical root cause, IOC, patch state, regulator notice, or separate material-update proof. This restraint is useful. It stops yesterday's patch-watch and breach noise from being repackaged as fresh intelligence without enough evidence.
Why This Matters
Developer supply-chain incidents are hard to bound because trust signals can look clean until after exposure has already happened. Verified publisher status, official package ownership, and familiar registry locations do not prove that a build path, extension install, CI workflow, or repository secret stayed safe.
Today's decision value is specific: prioritise developer and CI exposure review for the named channels before spending time on broader watchlist noise.
- Recommended Actions
- Check for nrwl.angular-console v18.95.0, PyPI durabletask 1.4.1-1.4.3, and cited @antv package exposure in developer and CI environments.
- Hunt repositories and CI logs for unexpected package lifecycle scripts, marketplace extension installs, .cursorrules, CLAUDE.md, Git hooks, systemd or cron persistence strings, GitHub Releases payload downloads, flipboxstudio[.]info, /tmp/.sshd, and related indicators cited in the 26 May sweep.
- Rotate developer, GitHub, cloud, and CI secrets where install-window exposure is plausible.
- Keep TrapDoor, Laravel-Lang, Packagist, Megalodon, breach-notice, and X-only ransomware items in watchlist handling until stronger evidence appears.
All findings grounded in a13e intelligence sweeps through 04:30 UTC 26 May 2026.