TeamPCP Releases Shai-Hulud Infostealer Source Code on GitHub, Lowering Barrier for Developer-Tool Attacks

TeamPCP has publicly released the source code for the Shai-Hulud infostealer on GitHub, creating immediate concerns within the security community about a potential surge in supply chain attacks targeting developer workstations and npm packages. The malware is specifically engineered to target development environments, including Claude Code, making it a particularly dangerous tool in the hands of less sophisticated threat actors.

The infostealer employs several evasion techniques designed to avoid detection by security tools. Notably, it uses future-dated commits and incorporates anti-AI detection strings, allowing it to blend more effectively into legitimate code repositories. Once deployed, Shai-Hulud harvests a wide range of sensitive data, including credentials, secrets, API keys, session tokens, and cryptocurrency wallets from compromised systems.

Security researchers warn that the public availability of the source code dramatically reduces the technical expertise required to deploy effective infostealer campaigns. Organizations are advised to immediately rotate all developer credentials, with particular attention to npm tokens, cloud API keys, and session tokens. Teams should audit GitHub Actions workflows and Claude Code configuration files for any suspicious hooks or unauthorized modifications. Recently installed npm packages should be treated with heightened scrutiny until their provenance can be verified. The development signals a shift toward increasingly accessible malware toolkits targeting the software supply chain, raising concerns about the long-term integrity of open-source development ecosystems.