The Information Machine

AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment · history

Version 4

2026-05-23 04:02 UTC · 74 items

What

The TeamPCP Mini Shai-Hulud campaign has now breached GitHub itself: GitHub confirmed that TeamPCP accessed its internal codebase via poisoned VS Code extensions, with approximately 3,800–4,000 internal repositories stolen [1][2][3]. GitHub stated customer data was unaffected [1]. The campaign's scope under CVE-2026-33634 (CVSS 9.4) has expanded to include the Trivy container-security scanner ecosystem alongside LiteLLM, TanStack, Telnyx, Guardrails AI, and Mistral AI [6][7], and the Mini Shai-Hulud worm has been confirmed targeting SAP npm packages [10]. WIRED, Unit 42 (Palo Alto Networks), and Datadog Security Labs — which named a follow-on variant 'Shai-Hulud 2.0' — have joined the growing institutional response [11][12][13].

Why it matters

A confirmed breach of ~4,000 GitHub internal repositories shifts this campaign from an AI-lab infrastructure attack to a compromise of the platform that underlies virtually all modern software development. The VS Code extension attack vector is especially consequential because it targets developer machines directly — bypassing package-registry audits — and creates an infection surface that standard supply chain remediation guidance does not address.

Open questions

  • GitHub says customer data was unaffected [1], but the scope of 3,800–4,000 internal repositories [2][3] raises questions about whether infrastructure secrets, internal tooling, or unreleased product code was exposed — and whether GitHub's 'customer data' framing covers those categories.

  • The poisoned VS Code extension vector [4][5] targets developer machines outside package registries — how many developer machines beyond GitHub's were compromised through the same mechanism, and has a complete list of malicious extensions been published?

  • CVE-2026-33634 now encompasses Trivy [6][7] in addition to the previously named victims — are other DevSecOps tools (SAST scanners, secret detectors, CI runners) also compromised but not yet formally disclosed?

  • Mini Shai-Hulud targeting SAP npm packages [10] suggests the campaign has expanded beyond AI infrastructure into enterprise software supply chains — what is the full current scope of affected ecosystems, and have SAP customers been notified?

Narrative

The TeamPCP supply chain campaign that began with the compromise of TanStack and two OpenAI employee devices in mid-May 2026 escalated into a confirmed breach of GitHub itself. GitHub acknowledged that TeamPCP penetrated its internal codebase via poisoned VS Code extensions, with approximately 3,800–4,000 internal repositories stolen [1][2][3]. GitHub stated customer data was unaffected [1], though the scale of internal repository access raises questions about infrastructure secrets and unreleased product code. The attack vector — malicious VS Code extensions silently installed on developer machines — is distinct from the npm and PyPI package poisoning that characterized earlier stages of the campaign [4][5]. Because VS Code extension compromise targets the developer's machine directly rather than a package registry, it is substantially harder to detect and remediate through the supply chain audits most organizations rely on.

The campaign's formal scope under CVE-2026-33634 (CVSS 9.4) continues to grow. Named victims now include TanStack, OpenAI employee devices, Mistral AI, LiteLLM, Telnyx, Guardrails AI, and — per the latest disclosures — the Trivy container-security scanner ecosystem [6][7]. Zscaler and Endor Labs both published incident updates covering the Trivy compromise [6][7], and LiteLLM published its own official security update [8], with Cycode providing a detailed walkthrough of the LiteLLM attack and remediation steps [9]. Mini Shai-Hulud has additionally been confirmed targeting SAP npm packages [10], pushing the campaign's reach into enterprise software supply chains well beyond the AI developer toolchain that was its original focus. WIRED characterized TeamPCP as 'poisoning open source code at an alarming rate' [11]; Unit 42 (Palo Alto Networks) published a technical analysis of the npm ecosystem compromise [12]; and Datadog Security Labs published a follow-on analysis of what it termed 'Shai-Hulud 2.0' [13], suggesting an evolved or successor variant of the worm rather than a static, single-generation campaign.

Two parallel capability developments deepen the overall threat model. Claude Mythos Preview became the first AI system to autonomously solve both UK AI Safety Institute end-to-end offensive cyber ranges, including one that had defeated every prior model [14]. Analyst Zvi Mowshowitz framed this as a genuine step-change: if AI can attack newly deployed code faster than human teams can patch it, the standard deploy-monitor-patch cadence breaks down, and pre-deployment testing must be conducted at the intensity systems will face after launch [14]. Separately, security researchers confirmed that 'tool poisoning' — embedding hidden data-exfiltration instructions inside AI tool descriptions — works silently against Claude, ChatGPT, Cursor, and other major AI assistants [15]. With nearly half of Microsoft Copilot conversations now involving high-cognition tasks like analysis and decision-making rather than simple lookup [15], a compromised agent doing substantive work is a far more dangerous target than a simple search interface.

The June 12, 2026 deadline for mandatory certificate rotation in OpenAI's iOS, macOS, and Windows applications — required after code-signing certificates were exfiltrated from two OpenAI employee devices [16] — remains weeks away. With the GitHub breach now confirmed and CVE-2026-33634's scope spanning npm, PyPI, Trivy, and SAP packages, the total downstream exposure of the campaign remains an open count.

Timeline

  • 2026-05-11: TeamPCP launches Mini Shai-Hulud campaign via self-spreading worm; 160+ npm and PyPI packages compromised including TanStack; two OpenAI employee devices hit, code-signing certificates exfiltrated [16][30][31]
  • 2026-05-11: Microsoft publishes workplace AI survey; security researchers confirm tool poisoning attacks work silently against Claude, ChatGPT, Cursor, and other major AI assistants [15]
  • 2026-05-13: OpenAI publishes incident response disclosure; mandates app certificate rotation by June 12, 2026 [16]
  • 2026-05-13: Zvi Mowshowitz publishes analysis calling Claude Mythos Preview's autonomous clearance of UK AISI offensive cyber ranges a genuine step-change in AI attack capability [14]
  • 2026-05-16: Broad security community coverage amplifies OpenAI/TanStack disclosure; users urged to update macOS apps before June 12 certificate revocation deadline [17][32][33][34][35]
  • 2026-05-18: Reports emerge that TeamPCP targeted Mistral AI in the same campaign and is selling access to Mistral AI's internal source code repositories [36][37][38][39]
  • 2026-05-19: LiteLLM, Telnyx, and Guardrails AI identified as additional compromised packages; campaign scope confirmed at 160+ packages across npm and PyPI [40][22][41][42]
  • 2026-05-19: CVE-2026-33634 formally assigned with CVSS 9.4 critical severity rating; characterized as most impactful CI/CD supply chain attack of 2026 [43]
  • 2026-05-20: Cloud Security Alliance, Datadog Security Labs, and Akamai publish independent technical analyses; GitGuardian notes three separate supply chain attacks hit npm, PyPI, and Docker Hub within a 48-hour window [21][22][23][24]
  • 2026-05-20: GitHub confirms TeamPCP breach of approximately 3,800–4,000 internal repositories via poisoned VS Code extensions; states customer data was unaffected; WIRED, The Record, Dark Reading, and InfoWorld publish coverage [4][5][27][1][2][3][11]
  • 2026-05-21: CVE-2026-33634 scope expanded to include Trivy container-security scanner ecosystem; LiteLLM publishes official security update; Cycode and Zscaler publish LiteLLM incident analyses; NVD and CVE.org records updated [44][9][6][8][45][7]
  • 2026-05-22: Mini Shai-Hulud confirmed targeting SAP npm packages; Unit 42 and Datadog Security Labs publish 'Shai-Hulud 2.0' analysis; Kusari and Upwind publish technical dissections of the worm's self-replication mechanism [18][19][20][12][13][10]

Perspectives

GitHub

Confirmed the breach, attributed it to TeamPCP via poisoned VS Code extensions, and stated customer data was unaffected — framing the incident as limited in customer impact while acknowledging the theft of approximately 3,800–4,000 internal repositories

Evolution: New voice in this synthesis; GitHub had not previously confirmed or denied the breach claims that circulated on social media as of the prior synthesis, when this remained an open question

OpenAI

Transparency and swift containment: limited blast radius, no customer data or production systems compromised, framing the incident as an industry-wide supply chain threat rather than an OpenAI-specific failure; certificate rotation deadline of June 12 is the actionable user requirement

Evolution: Consistent with OpenAI's practice of proactive security disclosures; the expanding victim list — now including GitHub itself — further validates the 'industry-wide' framing while making the 'limited blast radius' characterization harder to sustain as the campaign's scope continues to grow

Zvi Mowshowitz

Genuinely alarmed by Mythos as a capability threshold requiring a rethink of deployment security cadences; critical of both Commerce-dominated and intelligence-dominated governance proposals as politically captured and insufficiently generalized beyond cybersecurity

Evolution: Consistent long-run skepticism of regulatory capture; sharpened by the Mythos milestone into a more urgent warning that voluntary norms may not hold as capability jumps accelerate

Institutional security research community (CSA, Datadog, Akamai, ReversingLabs, GitGuardian, Unit 42, WIRED)

The TeamPCP campaign is the defining supply chain security event of 2026; the GitHub breach via VS Code extensions represents a qualitative escalation into a new attack surface; 'Shai-Hulud 2.0' suggests the worm has evolved or a successor variant has emerged; SAP ecosystem targeting confirms the campaign extends well beyond AI developer toolchains

Evolution: This cohort grew substantially: Unit 42 and WIRED joined an already active institutional response, and Datadog's 'Shai-Hulud 2.0' framing introduced the possibility of an evolved or second-generation worm rather than a single static campaign — a meaningful reframing of the threat's lifecycle

The Neuron / Microsoft

Tool poisoning is a serious and underappreciated threat; organizational readiness — not individual AI skill — is the primary bottleneck to safe and valuable AI deployment; growing agent usage amplifies the stakes of each unmitigated attack surface

Evolution: Consistent; Microsoft has a commercial interest in the conclusions but the newsletter treats both the productivity and security findings as credible

Broad security community (social media and press amplifiers)

GitHub breach is confirmed and significant; the VS Code extension vector is widely covered as a new attack surface distinct from package-registry poisoning; TeamPCP's claims to be selling access to GitHub and Mistral AI source code are treated as credible given the breach confirmations

Evolution: The unverified GitHub breach claim from the prior synthesis has been confirmed by multiple credible outlets including The Record, InfoWorld, and Dark Reading — shifting this voice from amplifying unverified rumors to reporting on a confirmed incident

Tensions

  • GitHub's official framing — 'customer data unaffected' [1] — sits in tension with the scope of 3,800–4,000 internal repositories stolen [2][3]; security analysts and press coverage have not accepted the 'limited impact' characterization at face value, since internal repositories almost certainly contain infrastructure configuration, tooling secrets, and unreleased product code [1][2][3][11]
  • OpenAI frames the TanStack incident as an industry-wide supply chain shift with limited blast radius [16], but the identification of LiteLLM, Guardrails AI, Trivy, and now GitHub [6][7][1] as additional compromised targets — all infrastructure layers used inside many other applications — suggests the downstream exposure is substantially wider than OpenAI's framing implied [16][6][7][1]
  • Standard supply chain remediation guidance focuses on package registries (npm, PyPI, Docker Hub), but the VS Code extension attack vector [4][5] targets developer machines directly — a fundamentally different and harder-to-audit surface — creating a gap between the remediation advice currently being given and the actual scope of compromise [4][5][23][24]
  • Zvi Mowshowitz argues the Mythos moment must be understood as a preview of broad capability jumps across all domains, not a cybersecurity-specific event [14] — directly at odds with the political and regulatory response, which is treating it as a unique cyber circumstance rather than a general capability threshold [14]

Sources

  1. [1] GitHub confirms being hacked by TeamPCP, says customer data ... — reactive:ai-security-nexus
  2. [2] GitHub admits major source code leak after 3800 internal ... - InfoWorld — reactive:ai-security-nexus
  3. [3] GitHub Confirms Breach, 4K Internal Repos Stolen - Dark Reading — reactive:ai-security-nexus
  4. [4] VS Code Extension Malware: How TeamPCP Breached GitHub — reactive:ai-security-nexus
  5. [5] TeamPCP breached GitHub's internal codebase via poisoned VS ... — reactive:ai-security-nexus
  6. [6] Trivy and LiteLLM Supply Chain Incident (CVE-2026-33634) Update — reactive:ai-security-nexus
  7. [7] Endor Patches | CVE-2026-33634, Trivy ecosystem supply chain was briefly compromised — reactive:ai-security-nexus
  8. [8] Security Update: Suspected Supply Chain Incident | liteLLM — reactive:ai-security-nexus
  9. [9] LiteLLM Supply Chain Attack: What Happened and How to Respond — reactive:ai-security-nexus
  10. [10] Mini Shai-Hulud Targets SAP npm Packages - Upwind Security — reactive:ai-security-nexus
  11. [11] A Hacker Group Is Poisoning Open Source Code at an ... - WIRED — reactive:ai-security-nexus
  12. [12] "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain ... — reactive:ai-security-nexus
  13. [13] The Shai-Hulud 2.0 npm worm: analysis, and what you need to know | Datadog Security Labs — reactive:ai-security-nexus
  14. [14] Cyber Lack of Security and AI Governance — Zvi's AI Roundups (2026-05-13)
  15. [15] 😺 Microsoft: your company is the AI bottleneck — The Neuron (2026-05-11)
  16. [16] Our response to the TanStack npm supply chain attack — OpenAI Blog (2026-05-13)
  17. [17] OpenAI caught NPM supply chain chaos after employeedevices compromised — reactive:ai-security-nexus (2026-05-16)
  18. [18] Shai Halud: What is Shai-Hulud? Definition & Explanation of the Self-Replicating npm Worm | Kusari® — reactive:ai-security-nexus
  19. [19] Mini Shai-Hulud npm Worm: Dissecting a Multi-Vector Supply Chain Attack - Upwind — reactive:ai-security-nexus
  20. [20] Mini Shai-Hulud: Multi-Ecosystem Developer Supply Chain Attack – Lab Space — reactive:ai-security-nexus
  21. [21] TeamPCP: Cascading Supply Chain Attack on AI/ML Tooling – Lab Space — reactive:ai-security-nexus
  22. [22] LiteLLM and Telnyx compromised on PyPI: Tracing the TeamPCP ... — reactive:ai-security-nexus
  23. [23] The Telnyx SDK on PyPI Compromise and the 2026 TeamPCP ... — reactive:ai-security-nexus
  24. [24] No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and ... — reactive:ai-security-nexus
  25. [25] 2026 Software Supply Chain Security Report - 4th Annual | ReversingLabs — reactive:ai-security-nexus
  26. [26] GitHub TeamPCP Breach, CISA Credential Leak, Mac Malware - May 20, 2026 — reactive:ai-security-nexus
  27. [27] GitHub Breach May 2026: All You Need to Know | Axipro — reactive:ai-security-nexus
  28. [28] What is the significance of the May 2026 GitHub internal repository ... — reactive:ai-security-nexus
  29. [29] Data Breach Alert ‼️ TeamPCP Claims Sale of GitHub ... — reactive:ai-security-nexus
  30. [30] Mini Shai-Hulud: TeamPCP compromette 160+ pacchetti npm e PyPI in un supply chain attack che ha colpito TanStack, Mistra... — reactive:ai-security-nexus (2026-05-19)
  31. [31] A Self-Spreading Supply Chain Attack Compromises TanStack npm ... — reactive:ai-security-nexus
  32. [32] OpenAI impose une mise à jour macOS après une attaque supply chain ayant touché TanStack, des paquets npm et plusieurs a... — reactive:ai-security-nexus (2026-05-16)
  33. [33] OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack via @knolinfos https://t.co/gORBgXYLpY — reactive:ai-security-nexus (2026-05-16)
  34. [34] 🚨 OPENAI EMPLOYEE DEVICES COMPROMISED — reactive:ai-security-nexus (2026-05-16)
  35. [35] OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack https://t.co/hyRTbyclv2 — reactive:ai-security-nexus (2026-05-16)
  36. [36] TeamPCP vende repo Mistral AI dopo attacco TanStack su OpenAI — reactive:ai-security-nexus (2026-05-18)
  37. [37] TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai ... — reactive:ai-security-nexus
  38. [38] Hackers Put Mistral AI Source Code Up for Sale After Supply Chain Attack — reactive:ai-security-nexus
  39. [39] TeamPCP Claims Sale of Internal Mistral AI Repositories Amid Mini ... — reactive:ai-security-nexus
  40. [40] Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages — reactive:ai-security-nexus
  41. [41] TeamPCP Targets Telnyx Package in Latest Software Supply Chain Attack - Infosecurity Magazine — reactive:ai-security-nexus
  42. [42] Mistral AI among npm, PyPI packages hit by Mini Shai Hulud — reactive:ai-security-nexus
  43. [43] GitHub - ugurrates/teampcp-supply-chain-attack: CVE-2026-33634 (CVSS 9.4) — The most impactful CI/CD supply chain attack of 2026 so far. · GitHub — reactive:ai-security-nexus
  44. [44] NVD - CVE-2026-33634 — reactive:ai-security-nexus
  45. [45] CVE-2026-33634 - CVE Record — reactive:ai-security-nexus