Threat Research & Intelligence

name: Mini Shai-Hulud C2 and Exfiltration Infrastructure Connection Analyticcategory: 'Command and Control'threatname: 'Exfiltration Over Web Service'functionality: 'Web Proxy'description: | Detects outbound connections to infrastructure used by the Mini Shai-Hulud npm worm (TeamPCP) for C2 communication and credential exfiltration. The worm uses a dual-channel exfiltration architecture for redundancy: Channel 1 - Session Protocol CDN: Stolen credentials encrypted with RSA-4096-OAEP wrapped AES-256-GCM are uploaded to filev2.getsession.org. The worm hardcodes a TLS cert pin for seed1.getsession.org. Session Protocol is a legitimate privacy messaging service — most enterprises have no legitimate traffic to this domain, but validate against your approved application inventory before deploying the session selector without a filter allowlist. Channel 2 - GitHub G

name: Mini Shai-Hulud Claude Code or VS Code Persistence Hook Injection Analyticcategory: 'Persistence'threatname: 'Event Triggered Execution: Installer Packages'functionality: 'Endpoint Management Systems'description: | Detects unauthorized modifications to Claude Code settings.json or VS Code tasks.json by processes consistent with the Mini Shai-Hulud worm (TeamPCP) persistence mechanism. The worm deploys two IDE-level hooks that re-execute the malicious payload on every developer tool launch: Payload 4: Writes .claude/settings.json with a SessionStart hook that executes .vscode/setup.mjs on every Claude Code session start. Payload 7: Writes .vscode/tasks.json with a folderOpen task that executes .claude/setup.mjs on every VS Code workspace open. Both hooks re-run .claude/router_runtime.js (the Bun worm payload) to re-exfiltrate any newly available cr

name: Mini Shai-Hulud gh-token-monitor Persistence Service Registration Analyticcategory: 'Persistence'threatname: 'Boot or Logon Autostart Execution: Systemd Service'functionality: 'Endpoint Management Systems'description: | Detects the installation of the gh-token-monitor persistence service deployed by the Mini Shai-Hulud npm worm (TeamPCP). After stealing credentials from an npm install context, the worm's Payload 1 installs a platform-native service that continuously monitors for newly available GitHub tokens and re-exfiltrates them on every reboot. The service name gh-token-monitor is campaign-specific and has no known legitimate use. On Linux: ~/.config/systemd/user/gh-token-monitor.service via systemctl --user enable On macOS: ~/Library/LaunchAgents/com.user.gh-token-monitor.plist via launchctl load DEPLOYMENT SCOPE: Developer workstations ONLY. This rule has no value on CI r

name: Bun Runtime Spawned During npm Package Installation Analyticcategory: 'Execution'threatname: 'Command and Scripting Interpreter: JavaScript'functionality: 'Endpoint Management Systems'description: | Detects the Bun JavaScript runtime being silently installed and executed during an npm package installation lifecycle hook, consistent with the Mini Shai-Hulud worm (TeamPCP). The attack embeds a prepare script in a malicious optional dependency (@tanstack/setup) that installs Bun 1.3.13 silently, then executes a 2.3 MB obfuscated payload via bun run. Bun is used specifically because it lacks the --require hook interception used by most Node.js security and monitoring tools, and because its Bun.gunzipSync function is required to decompress the AES-256-GCM encrypted secondary payloads. Bun being spawned as a child of a node/npm install process with known worm payload filenames in the CommandLine

name: Mini Shai-Hulud Runner.Worker Memory Secret Extraction Analyticcategory: 'Credential Access'threatname: 'Unsecured Credentials: CI/CD Object Credentials'functionality: 'Endpoint Management Systems'description: | Detects the secret extraction grep pattern used by the Mini Shai-Hulud npm worm (TeamPCP) to harvest all GitHub Actions secrets from Runner.Worker process memory. The worm executes a Python script via stdin that reads /proc/{Runner.Worker PID}/mem across all readable memory pages, then pipes output through grep targeting the runner's internal masked secret representation: {"value":"...","isSecret":true} The full pipeline executed from within the Bun payload process is: sudo python3 | tr -d '\0' | grep -aoE '"[^"]+":{"value":"[^"]*","isSecret":true}' | sort -u The isSecret string in a grep CommandLine during any package install context has no legitimate use case and is a nea

In Frank Herbert's Dune, a Shai-Hulud is a sandworm: a massive, blind, consuming creature that moves beneath the surface, swallowing everything in its path. It is an apt name for what security researchers discovered on May 11, 2026, buried inside some of the most widely used JavaScript packages in the world.Mini Shai-Hulud is a supply chain worm attributed to a threat group called TeamPCP. It compromised over 160 npm packages, collectively downloaded hundreds of millions of times per week, and it did something that no npm-based attack had managed before: it produced infected packages with valid cryptographic proof of authenticity. To the tools designed to tell you whether a package is trustworthy, these packages looked perfectly legitimate. They were not.This article walks through the technology that makes this attack possible, why it matters, and how to detect it on the systems you actually control.

In Part One, the argument was that AI is undergoing the same miniaturization arc that turned the 1980s brick phone into the supercomputer in your pocket. Pocket-sized devices running 120-billion-parameter models offline. Photonic chips doing in light what used to take racks of silicon. Architecture researchers reverse-engineering frontier models in public. The compute is shrinking, the cost is falling, and the assumptions defenders built their posture on are quietly expiring.But while we have been watching AI shrink downward, into devices, into edge hardware, into your jacket pocket, something else is happening in the other direction entirely. The phone is not just getting smaller. It is also going to orbit.And that changes almost everything about the GPU market, the chip supply chain, and the geopolitics of AI compute.Terafab: The Most Ambitious Vertical Integration Play in Semiconductor History

The proverbial phone is shrinking before my eyes.In the 1980s, the "mobile phone" was a brick. A two-pound, briefcase-attached monument to the idea that wireless communication was possible, if inconvenient. Those who carried one weren't just making calls. They were signaling that technology had crossed a threshold. Today, you carry more compute in your pocket than existed in entire buildings forty years ago. The phone didn't just shrink. It became something unrecognizable.AI is doing the same thing. Right now. And the cybersecurity implications are only beginning to surface.From Cloud Cathedrals to Pocket SupercomputersFor the last several years, running a frontier-class AI model meant paying homage to the cloud. Massive GPU clusters. Enormous energy bills. Data that had to leave your network to be processed somewhere in a hyperscaler's geography. The compute was centralized by necessity, and that centralization gave defenders a chokepoint. You could

name: PowerShell Script Block and Transcription Logging Suppression Analyticcategory: "Defense Evasion"threatname: "Impair Defenses: Indicator Blocking"functionality: "Endpoint Management Systems"description: |  Detects registry modifications that disable PowerShell Script Block Logging  or Transcription Logging under the Windows PowerShell policy keys.  Deep#Door suppresses these controls to prevent logging of its obfuscated  PowerShell execution chain, including embedded payload extraction commands.  Disabling these features removes visibility into decoded runtime commands  and hinders forensic reconstruction of the staging sequence.reference:labels:  - attack.defense_evasion  - attack.t1562.006  - Deep#Doorlogsource:  category: registry_event  product: windowsdetection:  selection:    EventType: "SetValue"    TargetObject|contains:

name: VBScript Backdoor Launcher Dropped to User Startup Folder Analyticcategory: "Persistence"threatname: "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder"functionality: "Endpoint Management Systems"description: |  Detects VBScript files created in the user Startup directory, a persistence  mechanism used by Deep#Door to execute the Python backdoor silently at each  user logon without requiring elevated privileges. The implant drops  SystemServices.vbs into the Startup folder to invoke pythonw.exe against  the staged svc.py payload.reference:labels:  - attack.persistence  - attack.t1547.001  - Deep#Doorlogsource:  category: file_event  product: windowsdetection:  selection:    Filename|endswith:      - ".vbs"      - ".vbe"    FilePath|contains:      - '\Microsoft\Windows\Start Menu\Programs\Startup'  cond

name: Windows Firewall Connection Logging Disabled via netsh Analyticcategory: "Defense Evasion"threatname: "Impair Defenses: Disable or Modify System Firewall"functionality: "Endpoint Management Systems"description: |  Detects netsh commands that disable both dropped-connection and allowed-connection  logging across all Windows Firewall profiles. Deep#Door issues these commands  during staging to suppress logging of its outbound bore.pub C2 tunneling traffic,  preventing network-based detection and impeding forensic reconstruction of  attacker communications.reference:labels:  - attack.defense_evasion  - attack.t1562.004  - Deep#Doorlogsource:  category: process_creation  product: windowsdetection:  selection_netsh:    Image|endswith: '\netsh.exe'    CommandLine|contains:      - 'advfirewall set allprofiles logging'  selection_logging_typ

name: Self-Referential Batch Script Payload Extraction Analyticcategory: 'Execution'threatname: 'Command and Scripting Interpreter: Windows Command Shell'functionality: 'Microsoft Windows PowerShell'description: |  Detects PowerShell script block activity consistent with the Deep#Door loader's  self-extraction mechanism. The malware uses an obfuscated batch script  (install_obf.bat) that invokes PowerShell to read its own file contents via  %~f0 (self-file reference) and extract an embedded Python backdoor using  regex pattern matching between #PYTHON_START and #PYTHON_END delimiters.  This staging approach is notable because:    - The dropper is fully self-contained and does not require external downloads    - %~f0 allows the script to reference and parse its own file contents in place    - The payload is recovered using regex extraction rather than a separate archive      or encoded b

On April 19, 2026, Vercel — the cloud platform behind the widely adopted Next.js web framework and a core piece of infrastructure for thousands of JavaScript developers and Web3 projects — publicly confirmed a security incident involving unauthorized access to certain internal systems. The breach did not originate from a direct attack on Vercel's infrastructure. Instead, it followed a classic supply chain compromise path: a third-party AI tool was breached first, which gave the attacker the foothold needed to pivot into Vercel's environment.As of April 21, 2026, the investigation remains active. Vercel is working with Mandiant, law enforcement and Context.ai to determine the full scope of the intrusion.Timeline of EventsDate Event February 2026 A Context.ai employee is compromised with Lumma Stealer after downloading malicious Roblox "auto-farm" scripts and executors

name: Axios Supply Chain Node Spawning curl Download of Python Script to tmp Analyticcategory: 'Execution'threatname: 'Command and Scripting Interpreter: Python'functionality: 'Endpoint Management Systems'description: |  Detects Node.js or npm processes spawning a shell that uses curl to download a Python  script to /tmp and execute it via nohup, consistent with the Linux payload delivery in  the axios supply chain compromise. The malicious setup.js dropper from plain-crypto-js@4.2.1  executes a single shell command: curl downloads the Python RAT (/tmp/ld.py) from the C2  (sfrclak[.]com:8000/6202033) and nohup executes it in the background. The Python RAT  uses only standard library modules, beacons every 60 seconds, supports arbitrary command  execution and binary injection to /tmp/.<hidden>, and reads system data from /proc/ and  /sys/class/dmi/id/. Notably, it does NOT establish persistence — a

name: Axios Supply Chain Anomalous IE8 User Agent with npm Registry POST Body Mimicry Analyticcategory: 'Command and Control'threatname: 'Application Layer Protocol: Web Protocols'functionality: 'Web Proxy'description: |  Detects the C2 beacon pattern used across all three platform variants (macOS, Windows, Linux)  of the axios supply chain RAT. All variants share an identical and highly anomalous User-Agent  string mimicking Internet Explorer 8 on Windows XP (mozilla/4.0 compatible; msie 8.0;  windows nt 5.1; trident/4.0) — a combination effectively extinct in 2026. POST request bodies  are designed to blend with npm registry traffic by prefixing packages.npm.org/product0|1|2,  however npm.org is not the npm registry; it belongs to the National Pastoral Musicians  organization. The C2 endpoint sfrclak[.]com listens on port 8000 (non-standard) and routes  platform-specific payloads based on the product s

name: Axios Supply Chain Renamed PowerShell Executing from ProgramData Analyticcategory: 'Defense Evasion'threatname: 'Masquerading: Rename System Utilities'functionality: 'Endpoint Management Systems'description: |  Detects a Windows Terminal process name (wt.exe) executing from %PROGRAMDATA% with  PowerShell-style arguments, consistent with the axios supply chain RAT delivery chain.  The malicious VBScript dropper copies powershell.exe to C:\ProgramData\wt.exe before  executing the stage-2 RAT. wt.exe is the legitimate filename for Windows Terminal  (WindowsTerminal.exe), making this an intentional naming collision to bypass  process-name-based EDR heuristics. The renamed binary is invoked with -w hidden and  -ep bypass to suppress the window and circumvent execution policy. PowerShell executing  from ProgramData is anomalous under any circumstances; PowerShell masquerading as  Windows Terminal i

name: Axios Supply Chain - npm Lifecycle Hook Spawning VBScript Dropper Analyticcategory: 'Execution'threatname: 'Command and Scripting Interpreter: Visual Basic'functionality: 'Endpoint Management Systems'description: |  Detects npm or Node.js processes spawning cscript.exe or wscript.exe to execute a  VBScript file from a temporary directory, consistent with the malicious postinstall  lifecycle hook in plain-crypto-js@4.2.1 — the phantom dependency injected into the  backdoored axios@1.14.1 and axios@0.30.4 packages. The dropper (setup.js) writes a  hidden-window VBScript to %TEMP% that copies powershell.exe to %PROGRAMDATA%\wt.exe  and fetches the stage-2 PowerShell RAT from the C2 at sfrclak[.]com:8000. The VBScript  self-deletes after execution to reduce forensic artifacts. Any npm install process  that spawns a VBScript interpreter against a temp-resident .vbs file should be considered  highl

name: Masqueraded MSBuild Execution from Windows Startup Folder Analyticsignatureid: TELNYX2category: 'Persistence'threatname: 'Boot or Logon Autostart Execution: Startup Folder'functionality: 'Endpoint Management Systems'description: |  Detects execution of msbuild.exe from the Windows Startup folder, which is a persistence mechanism  used by the TeamPCP Telnyx supply chain malware. The legitimate Microsoft Build Engine (msbuild.exe)  resides in C:\Windows\Microsoft.NET\ and is never present in user Startup directories. The TeamPCP  malware extracts a PE binary from WAV audio steganography (hangup.wav) and writes it to  %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe to achieve persistence across  reboots. The dropped binary is a MinGW-compiled x86_64 PE that performs process hollowing into  dllhost.exe. This rule also detects the companion lock file (msbuild.exe.lock) which the malw

name: TeamPCP Archived Credential Exfiltration via HTTP POST Analyticsignatureid: PXY-TELNYX1category: 'Exfiltration'threatname: 'Exfiltration Over C2 Channel'functionality: 'Web Proxy'description: |Detects HTTP POST requests containing the X-Filename header value "tpcp.tar.gz", which is the consistent exfiltration signature used by TeamPCP across both the LiteLLM and Telnyx supply chain compromises. After harvesting credentials (SSH keys, cloud credentials, .env files, shell histories, cryptocurrency wallets, and Kubernetes tokens), the malware encrypts the collected data with AES-256-CBC, wraps the session key with RSA-4096, bundles both into a gzipped tarball named tpcp.tar.gz, and exfiltrates via HTTP POST with Content-Type: application/octet-stream and header X-Filename: tpcp.tar.gz. Independent validation on March 30, 2026 confirmed the exfiltration endpoint at 83.142.209.203:8080 remains active an

Campaign: TeamPCP — Telnyx PyPI Supply Chain CompromiseSamples: hangup.wav (Windows steganographic carrier), linux_payload.py (decoded _p credential harvester)What Happened...On March 27, 2026, the threat actor group TeamPCP published two trojanized versions (4.87.1 and 4.87.2) of the official Telnyx Python SDK to PyPI. This was the latest link in a credential-chaining supply chain campaign that began on March 19 with the compromise of Aqua Security's Trivy, subsequently spreading to Checkmarx GitHub Actions, LiteLLM, and now Telnyx. The campaign's defining innovation is the use of WAV audio steganography to deliver second-stage payloads, concealing executable binaries inside valid audio containers to evade network inspection and endpoint detection.This breakdown provides a deep technical analysis of both platform-specific attack paths in the Telnyx compromise. For Windows,

Here’s what happened...While browsing a legitimate Formula 1 news site, a programmatic ad creative hijacks your browser session and redirects to a sophisticated social engineering operation impersonating McAfee. The attack chain traversed multiple supply-side platforms (SSPs), a demand-side platform (DSP), and Cloudflare infrastructure before landing on a multi-step scam funnel that used fake virus scans, fabricated threat alerts, an alarm sound, a fake "AI assistant" chat, and an urgency countdown timer — all to drive the victim into purchasing a real McAfee antivirus subscription through a fraudulent affiliate link.This post documents the complete kill chain from initial ad impression to final monetization endpoint, including extracted IOCs, infrastructure analysis, and the social engineering techniques employed.The Initial RedirectThe attack began on racingnews365.com, a well-known F1 racing news site. While browsing on a mob

 On March 11, 2026, the Iran-linked hacktivist group Handala (a.k.a. Handala Hack Team / Void Manticore) executed a destructive wiper attack against Stryker Corporation, wiping devices and servers across the $25 billion medical technology company's global enterprise and idling approximately 56,000 employees in 61+ countries. This is the first confirmed major cyber disruption of a U.S. corporation since joint U.S.-Israeli military strikes on Iran commenced on February 28, 2026 (Operations "Epic Fury" and "Roaring Lion"). The attackers compromised administrator accounts and weaponized Microsoft Intune, Stryker's cloud-based mobile device management (MDM) platform, to issue remote wipe commands to all connected devices — a "living off the land" technique that turned Stryker's own IT management infrastructure against itself. The attack is assessed as retaliatory, timed 11 days after kinetic strikes began, and targeted Stryker specifically for i