AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment · history
Version 6
2026-05-24 09:28 UTC · 202 items
What
CERT-EU has officially confirmed that the European Commission's cloud infrastructure was breached through the Trivy supply chain compromise, exposing data across 30 EU institutions [12][13], resolving previously unverified social-media reporting and establishing public sector IT as a confirmed target class. Mandiant has quantified the total TeamPCP campaign impact at more than 1,000 compromised SaaS environments [14], and Sportradar has been named as an additional victim [14]. The AntV ecosystem attack has grown to 600+ malicious npm packages that fake Sigstore security verification badges to evade detection [16], while Forbes reports TeamPCP demanded a $50,000 ransom from GitHub for the stolen repository access [6]. RedRays has sharpened the AI coding agent threat angle, framing the SAP npm hijacking as a deliberate mechanism to weaponize AI coding agents by injecting malicious packages into the dependency trees those tools automatically install and execute [27].
Why it matters
CERT-EU's confirmation [12] converts the European Commission breach from an unverified claim into a government-certified incident spanning 30 EU institutions, establishing that supply chain vulnerabilities in widely deployed DevSecOps tooling translate directly into government infrastructure compromise. Mandiant's 1,000+ SaaS environments figure [14] reframes Mini Shai-Hulud from a targeted AI-ecosystem event into one of the most broadly distributed supply chain compromises on record. The fake Sigstore badge technique [16] strikes at the provenance verification infrastructure organizations rely on to distinguish legitimate packages from malicious ones, meaning standard supply chain integrity checks cannot be trusted to detect this campaign.
Open questions
Sportradar is named as a victim in SANS ISC Update 006 [14] — what was the scope of its exposure, and how many other enterprise victims have yet to be publicly identified?
Mandiant quantifies '1,000+ SaaS environments' compromised [14] — does this figure represent confirmed breaches, at-risk environments, or a broader exposure estimate, and which SaaS platform categories are most affected?
The AntV attack involves fake Sigstore security verification badges [16] — has the Sigstore project or npm registry responded, and can organizations relying on Sigstore provenance attestation continue to trust those signals?
RedRays frames the SAP attack as deliberately 'weaponizing AI coding agents' through a dependency injection mechanism [27] while Mend.io invoked 'Claude Code' specifically [29] — has Anthropic responded to questions about how Claude Code was involved, and do these analyses describe the same attack mechanism?
Narrative
The TeamPCP threat actor launched the Mini Shai-Hulud supply chain campaign on May 11, 2026, deploying a self-spreading worm across npm and PyPI that compromised more than 170 packages in its initial wave — including the TanStack ecosystem, LiteLLM, Guardrails AI, and Telnyx — reaching two OpenAI employee devices and exfiltrating code-signing certificates that triggered a mandatory rotation deadline of June 12, 2026 for OpenAI's iOS, macOS, and Windows applications [1][2][3]. GitHub confirmed the worm breached approximately 3,800–4,000 of its internal repositories via Nx Console version 18.95.0, a poisoned VS Code extension; Forbes subsequently reported that TeamPCP demanded a $50,000 ransom from GitHub for the stolen access [4][5][6]. GitHub maintained that customer data was unaffected — a characterization security analysts have not accepted at face value, given that internal repositories almost certainly contain infrastructure configuration, tooling secrets, and unreleased product code [7][8]. CVE-2026-33634 (CVSS 9.4) was formally assigned, CISA added it to its Known Exploited Vulnerabilities catalog [9][10], and Broadcom confirmed downstream exposure in Tanzu Application Platform and Spring Enterprise through the Trivy container-security scanner compromise [11].
CERT-EU, the European Union's official cybersecurity body, has confirmed that the European Commission's cloud infrastructure was breached via the Trivy supply chain compromise, with data exposed across 30 EU institutions [12][13]. SANS ISC's Update 006 on the campaign — which also names Sportradar as an additional victim — includes Mandiant's quantification of the total campaign impact at more than 1,000 compromised SaaS environments [14], a figure that reframes Mini Shai-Hulud from a targeted AI-ecosystem incident into one of the most broadly distributed enterprise supply chain compromises on record. The Cloud Security Alliance has characterized the campaign as a two-wave operation, naming the combined attack 'Shai-Hulud/Megalodon' to distinguish the initial AI developer toolchain wave from the subsequent AntV data visualization ecosystem attack [15].
The AntV wave has grown substantially beyond initial estimates. Endor Labs, Chainguard, Semgrep, IBM X-Force, Orca Security, ThreatLocker, StepSecurity, and Microsoft Security Blog each published independent analyses, with Endor Labs reporting 600+ malicious npm packages — double the 300+ figure from earlier reporting [16][17][18][19][20][21][22][23]. A newly identified evasion technique involves faking Sigstore security verification badges on npm registry entries [16], targeting the provenance attestation infrastructure that organizations rely on to verify package legitimacy. Semgrep identified that worm activity was revived through a compromised maintainer account for the antv, timeago, and size-sensor packages [18]. Phoenix Security reports the campaign has deployed confirmed active payloads with memory-scraping capabilities and has compromised 2,500+ GitHub repositories in this wave [24], a figure that appears to reflect repositories beyond the 3,800–4,000 GitHub internal repositories previously confirmed by GitHub itself. TeamPCP has been observed on social media actively marketing its stolen access [25], and Endor Labs published a practitioner's incident response guide for organizations affected by the campaign [26].
The AI coding agent attack surface has become the campaign's most analytically contested dimension. RedRays published analysis framing the SAP npm hijacking as a deliberate mechanism to 'weaponize AI coding agents' — the malicious packages are designed to inject themselves into the dependency trees that AI coding tools automatically install and execute, redirecting agent behavior toward cloud credential theft and worm propagation [27]. Runtime.news published a concurrent editorial warning that the combination of supply chain attacks and coding agents represents a qualitatively new threat category requiring a different defensive posture than traditional package poisoning [28]. Mend.io previously published a claim that the SAP Cloud Application Programming Model segment ran 'via Claude Code' [29][30], a framing not yet corroborated by independent sources but consistent with the RedRays mechanism if Anthropic's AI coding assistant was among the targeted agent environments. Unit 42 published analysis of TeamPCP's multi-stage attack architecture against security infrastructure [31], and Phoenix Security documented memory-scraping payloads as confirmed active components of the campaign [24]. On the offensive AI capability front, AISI's official evaluation of Claude Mythos Preview — which autonomously cleared both UK offensive cyber ranges including a 32-step scenario — and NIST's CAISI formalization as the US pre-deployment AI compliance gate provide the governance backdrop against which the widening campaign continues to unfold [32][33][34].
Timeline
- 2026-05-05: US Department of Commerce finalizes expanded AI safety-testing agreements with Google, Microsoft, and xAI through NIST's CAISI; Politico reports on federal pre-deployment AI vetting formalization [34][53]
- 2026-05-11: TeamPCP launches Mini Shai-Hulud campaign via self-spreading worm; 160+ npm and PyPI packages compromised including TanStack; two OpenAI employee devices hit, code-signing certificates exfiltrated [1][2][3]
- 2026-05-11: Security researchers confirm tool poisoning attacks work silently against Claude, ChatGPT, Cursor, and other major AI assistants [78]
- 2026-05-13: OpenAI publishes incident response disclosure; mandates app certificate rotation by June 12, 2026; Zvi Mowshowitz and AISI publish analyses characterizing Claude Mythos Preview's autonomous clearance of UK offensive cyber ranges as a genuine AI capability threshold [1][51][33]
- 2026-05-16: Broad security community coverage amplifies OpenAI/TanStack disclosure; users urged to update macOS apps before June 12 certificate revocation deadline [39][91][92][93][94]
- 2026-05-18: Reports emerge that TeamPCP targeted Mistral AI and is selling access to Mistral AI's internal source code repositories [95][96][97][98]
- 2026-05-19: LiteLLM, Telnyx, and Guardrails AI identified as additional compromised packages; campaign scope confirmed at 160+ packages across npm and PyPI; CVE-2026-33634 formally assigned with CVSS 9.4 critical severity rating [99][9][70][100][101]
- 2026-05-20: GitHub confirms TeamPCP breach of approximately 3,800–4,000 internal repositories via Nx Console version 18.95.0; Forbes reports TeamPCP demanded $50,000 ransom from GitHub; BleepingComputer, Varonis, Ox Security, StepSecurity, Aikido Security, Cloud Security Alliance, Datadog Security Labs, and Akamai publish independent analyses [4][35][5][36][56][57][7][37][38][8][6][69][70][71][72]
- 2026-05-21: CVE-2026-33634 scope expanded to include Trivy container-security scanner; LiteLLM publishes official security update; GitLab Advisory Database and Aqua Security publish formal Trivy advisory; LegitSecurity publishes incident response playbooks [102][103][104][105][106][107][108][109][58]
- 2026-05-22: Mini Shai-Hulud confirmed targeting SAP npm packages; Unit 42 and Datadog Security Labs publish 'Shai-Hulud 2.0' analysis; CISA adds CVE-2026-33634 to Known Exploited Vulnerabilities catalog; Broadcom issues impact assessment for Tanzu Application Platform and Spring Enterprise [64][65][66][67][68][110][10][11]
- 2026-05-23: AntV ecosystem attack confirmed with 600+ malicious npm packages faking Sigstore badges; Semgrep identifies worm revival via compromised maintainer of antv, timeago, and size-sensor packages; IBM X-Force, Orca Security, ThreatLocker, StepSecurity, Microsoft Security Blog, and Chainguard publish independent AntV analyses; Mend.io and RedRays publish analyses framing SAP attack as weaponizing AI coding agents; CSA characterizes campaign as two-wave 'Shai-Hulud/Megalodon'; Endor Labs publishes practitioner incident response guide [16][17][18][19][20][21][22][23][29][27][15][26][28]
- 2026-05-24: CERT-EU officially confirms European Commission cloud breach via Trivy supply chain exposed data across 30 EU institutions; Mandiant quantifies total campaign at 1,000+ compromised SaaS environments; Sportradar named as additional victim [14][42][12][13]
Perspectives
GitHub
Confirmed the breach via Nx Console version 18.95.0, maintained that customer data was unaffected, and framed the incident as limited in customer impact while acknowledging the theft of approximately 3,800–4,000 internal repositories
Evolution: Forbes' reporting of a $50,000 extortion demand from TeamPCP adds context that the attackers placed significant monetary value on the stolen access — in tension with GitHub's 'limited impact' characterization
OpenAI
Transparency and swift containment: limited blast radius, no customer data or production systems compromised, framing the incident as an industry-wide supply chain threat rather than an OpenAI-specific failure; certificate rotation deadline of June 12 is the actionable user requirement
Evolution: Consistent with prior stance; CERT-EU's confirmation of 30 EU institutions' exposure and Mandiant's 1,000+ SaaS environments figure further challenge the 'limited blast radius' characterization for the campaign as a whole
CERT-EU
Official confirmation that the European Commission's cloud infrastructure was breached through the Trivy supply chain compromise, with data exposed across 30 EU institutions — establishing that supply chain DevSecOps vulnerabilities translate directly into government IT compromise
Evolution: New official voice in this synthesis; the confirmation resolves the previously unverified social media reporting from the prior pass and elevates the campaign's institutional significance
Mandiant
The total TeamPCP campaign has compromised more than 1,000 SaaS environments — a scale figure that reframes Mini Shai-Hulud from a targeted AI-ecosystem incident to one of the most broadly distributed enterprise supply chain compromises on record
Evolution: New quantitative voice in this synthesis; Mandiant's figure is the most comprehensive campaign-scale estimate published to date
RedRays
The SAP npm hijacking was specifically designed to weaponize AI coding agents by injecting malicious packages into the dependency trees that those tools automatically install and execute, redirecting agent behavior toward cloud credential theft and worm propagation — a mechanism-level explanation more specific than Mend.io's 'via Claude Code' headline framing
Evolution: New voice in this synthesis; provides the first mechanism-level account of how AI coding tools factor into the attack, moving the debate from attribution to attack architecture
Mend.io
The SAP CAP segment of the supply chain attack ran 'via Claude Code,' implicating Anthropic's AI coding assistant as a vector or surface in the attack
Evolution: Consistent; the RedRays 'weaponize AI coding agents' framing provides partial mechanism-level corroboration without specifically naming Claude Code, leaving the specific tool attribution unresolved
AISI (UK AI Safety Institute)
Claude Mythos Preview represents a genuine capability threshold — the first AI system to autonomously complete both AISI end-to-end offensive cyber ranges including a 32-step scenario — and the rate at which autonomous AI cyber capability is advancing warrants serious institutional attention
Evolution: AISI's official evaluation is formally published; skeptics have emerged questioning the methodology and system card consistency
Skeptics of Mythos evaluation (cybersecurity commentators)
The AISI evaluation methodology is inconsistent or overstated; the Mythos system card is methodologically problematic; the 'autonomous offensive threshold' framing may not accurately represent the difficulty or controlled conditions of the evaluated tasks
Evolution: Consistent with prior pass
Zvi Mowshowitz
Genuinely alarmed by Mythos as a capability threshold requiring a rethink of deployment security cadences; critical of both Commerce-dominated (CAISI) and intelligence-dominated governance proposals as politically captured and insufficiently generalized beyond cybersecurity
Evolution: Consistent; CAISI's formalization as the federal compliance gate provides a concrete target for the existing critique
CAISI / US Department of Commerce
Voluntary but structured pre-deployment safety testing with major AI labs through NIST's CAISI is the appropriate US governance posture for frontier AI capabilities
Evolution: Consistent with prior pass
Institutional security research community (CSA, Unit 42, Datadog, Akamai, ReversingLabs, GitGuardian, WIRED, Snyk, Onapsis, Wiz, Endor Labs, StepSecurity, Varonis, BleepingComputer, LegitSecurity, Semgrep, IBM X-Force, Orca Security, ThreatLocker, Chainguard, Phoenix Security, Software Improvement Group, Runtime.news, OX Security)
TeamPCP is the defining supply chain security event of 2026; CERT-EU's confirmation of 30 EU institutions' exposure and Mandiant's 1,000+ SaaS environments figure confirm the campaign has no fixed perimeter; the fake Sigstore badge technique in the AntV attack compromises a key trust signal; the AI coding agent weaponization mechanism requires a materially different defensive response than traditional package poisoning
Evolution: The institutional response cohort has grown further with IBM X-Force, Orca Security, ThreatLocker, Chainguard, Phoenix Security, Software Improvement Group, and Runtime.news joining the group; CERT-EU and Mandiant have added official government and major consulting-firm voices to what was previously primarily a security vendor and press coalition
The Neuron / Microsoft
Tool poisoning is a serious and underappreciated threat; organizational readiness — not individual AI skill — is the primary bottleneck to safe and valuable AI deployment; growing agent usage amplifies the stakes of each unmitigated attack surface
Evolution: Consistent; Microsoft Security Blog's AntV analysis reinforces the direct connection between AI tool use and supply chain risk
Broad security community (social media and press amplifiers)
The GitHub breach is confirmed and TeamPCP is actively marketing stolen access; the $50K ransom demand signals TeamPCP's assessment of the access value; the European Commission's official confirmation elevates the campaign unambiguously to government-infrastructure level
Evolution: The European Commission claim has been officially confirmed by CERT-EU, resolving one of the key open questions from the prior pass; TeamPCP's Instagram marketing of stolen access [25] confirms active ongoing monetization
Tensions
- GitHub's official 'customer data unaffected' and 'limited impact' framing sits in tension with both the scope of 3,800–4,000 internal repositories stolen and TeamPCP's subsequent $50,000 extortion demand — the ransom demand implies TeamPCP placed significant monetary value on the access, which is inconsistent with GitHub's characterization of the incident as limited [7][37][38][8][35][6]
- AISI's official evaluation frames Claude Mythos Preview as reaching an 'autonomous offensive threshold' warranting serious institutional attention, while independent cybersecurity commentators have questioned the evaluation methodology and system card consistency — a debate about whether the milestone is accurately characterized or inflated by the evaluators' framing [32][33][73][49][50]
- RedRays frames the SAP attack as deliberately weaponizing AI coding agents through a dependency injection mechanism, while Mend.io's 'via Claude Code' framing implies Anthropic's specific tool was implicated — the two analyses are consistent at the mechanism level but diverge on specificity, and neither has been officially corroborated by Anthropic [27][29][30][28]
- The CAISI voluntary pre-deployment framework represents the US government's chosen governance posture for frontier AI capabilities, while Zvi Mowshowitz argues that any governance structure anchored in cybersecurity is politically captured and fails to treat the Mythos milestone as the general capability threshold it represents [34][54][51]
- Standard supply chain remediation guidance focuses on package registries (npm, PyPI, Docker Hub), but the VS Code extension attack vector and the AI coding agent weaponization mechanism target developer machines and AI tool environments directly — surfaces that are fundamentally harder to audit and for which remediation guidance has not yet been standardized [4][5][36][27][28][71][72]
- OpenAI frames the TanStack incident as an industry-wide supply chain shift with limited blast radius, but CERT-EU's confirmation of 30 EU institutions' exposure, Mandiant's 1,000+ SaaS environments figure, and TeamPCP's continued propagation into AntV and enterprise infrastructure suggest downstream exposure substantially wider than OpenAI's framing implied [1][12][13][14][63][7]
- The AntV attack's use of fake Sigstore security verification badges means that npm provenance attestation — one of the primary trust signals supply chain security guidance recommends — cannot be relied upon to detect this campaign, creating a gap between the remediation advice being given and the actual evasion capabilities demonstrated by the attacker [16][17][18]
Sources
- [1] Our response to the TanStack npm supply chain attack — OpenAI Blog (2026-05-13)
- [2] Mini Shai-Hulud: TeamPCP compromette 160+ pacchetti npm e PyPI in un supply chain attack che ha colpito TanStack, Mistra... — reactive:ai-security-nexus (2026-05-19)
- [3] A Self-Spreading Supply Chain Attack Compromises TanStack npm ... — reactive:ai-security-nexus
- [4] Nx Console 18.95.0 Incident: How TeamPCP Breached GitHub — reactive:ai-security-nexus
- [5] Nx Console VS Code Extension Compromised - StepSecurity — reactive:ai-security-nexus
- [6] GitHub Says 3,800 Repositories Breached—TeamPCP Hackers ... — reactive:ai-security-nexus
- [7] GitHub confirms being hacked by TeamPCP, says customer data ... — reactive:ai-security-nexus
- [8] A Hacker Group Is Poisoning Open Source Code at an ... - WIRED — reactive:ai-security-nexus
- [9] GitHub - ugurrates/teampcp-supply-chain-attack: CVE-2026-33634 (CVSS 9.4) — The most impactful CI/CD supply chain attack of 2026 so far. · GitHub — reactive:ai-security-nexus
- [10] CISA Adds Trivy CVE-2026-33634 to KEV: Patch Supply Chain Risk ... — reactive:ai-security-nexus
- [11] Impact Assessment: Aqua Security Trivy Supply Chain Compromise (CVE-2026-33634) on Tanzu Application Platform and Spring Enterprise — reactive:ai-security-nexus
- [12] European Commission cloud breach: a supply-chain compromise — reactive:ai-security-nexus
- [13] European Commission breach exposed data of 30 EU entities ... — reactive:ai-security-nexus
- [14] TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments — reactive:ai-security-nexus
- [15] Shai-Hulud/Megalodon: A Two-Wave AI Developer Supply Chain ... — reactive:ai-offensive-cybersecurity
- [16] Mini Shai-Hulud Returns: 600+Malicious npm Packages Fake Sigstore Badges in AntV Ecosystem Attack — reactive:ai-security-nexus
- [17] Mini Shai-Hulud npm Attack: AntV Ecosystem Compromise (May 2026) | Chainguard — reactive:ai-security-nexus
- [18] Mini Shai-Hulud Resurfaces; Compromised Maintainer of antv, timeago, and size-sensor Packages Revives Worm Activity | Semgrep — reactive:ai-security-nexus
- [19] IBM X-Force OSINT Advisory Mini Shai-Hulud Hits AntV: 300+ ... — reactive:ai-security-nexus
- [20] npm Supply Chain Attack Compromises AntV | Orca Security — reactive:ai-security-nexus
- [21] Reverse Shai-Hulud: Supply chain compromise impacts @antv packages — reactive:ai-security-nexus
- [22] Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem - StepSecurity — reactive:ai-security-nexus
- [23] Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft | Microsoft Security Blog — reactive:ai-security-nexus
- [24] TeamPCP / Mini Shai-Hulud npm Campaign: 600 Packages, Confirmed Active Payload, Memory Scraping, and 2,500+ Compromised GitHub Repositories - Phoenix Security — reactive:ai-security-nexus
- [25] A threat actor identified with the TeamPCP alias is claiming to offer ... — reactive:ai-security-nexus
- [26] A Practitioner’s Guide to Responding to the TeamPCP Supply Chain Attacks | Ebook/Report | Endor Labs — reactive:ai-security-nexus
- [27] SAP npm Packages Hijacked to Steal Cloud Credentials and Weaponize AI Coding Agents — reactive:ai-security-nexus
- [28] When supply-chain attacks meet coding agents, look out — reactive:ai-coding-cpu-demand-surge
- [29] Shai Hulud: SAP CAP Supply Chain Attack Via Claude Code — reactive:ai-security-nexus
- [30] Mend.io's Post - LinkedIn — reactive:ai-security-nexus
- [31] TeamPCP's Multi-Stage Supply Chain Attack on Security Infrastructure — reactive:ai-offensive-cyber
- [32] Our evaluation of Claude Mythos Preview's cyber capabilities — reactive:frontier-ai-cyber-capabilities
- [33] How fast is autonomous AI cyber capability advancing? — reactive:ai-offensive-cyber (2026-05-13)
- [34] US government expands vetting of frontier AI models for security risks — reactive:ai-security-nexus
- [35] GitHub Breach via Malicious VS Code Extension: What You Need to ... — reactive:ai-security-nexus
- [36] GitHub confirms breach of 3,800 repos via malicious VSCode ... — reactive:ai-security-nexus
- [37] GitHub admits major source code leak after 3800 internal ... - InfoWorld — reactive:ai-security-nexus
- [38] GitHub Confirms Breach, 4K Internal Repos Stolen - Dark Reading — reactive:ai-security-nexus
- [39] OpenAI caught NPM supply chain chaos after employeedevices compromised — reactive:ai-security-nexus (2026-05-16)
- [40] OpenAI asks macOS users to update after TanStack npm ... — reactive:ai-security-nexus
- [41] TanStack Supply Chain Attack Hits Two OpenAI Employee Devices ... — reactive:ai-security-nexus
- [42] Security breach at European Commission impacts 30 EU institutions | DigitalShield — reactive:ai-security-nexus
- [43] AISI: Claude Mythos First AI to Solve 32-Step Cyber Attack Range — reactive:ai-security-nexus
- [44] New Claude Mythos becomes the first AI model to clear all cyberattack simulations from Britain's AI safety agency — reactive:ai-security-nexus
- [45] Here’s how cyber heavyweights in the US and UK are dealing with Claude Mythos | CyberScoop — reactive:ai-security-nexus
- [46] Claude Mythos Preview Completes Cyber Range End-to-End — reactive:ai-security-nexus
- [47] We conducted cyber evaluations of Claude Mythos Preview and ... — reactive:ai-security-nexus
- [48] Claude Mythos Preview becomes the first model to solve both of the ... — reactive:ai-security-nexus
- [49] Anthropic's Mythos Claims Questioned by Cybersecurity Insider — reactive:frontier-ai-cyber-capabilities
- [50] Why Claude Mythos system card is a mess - Part 3, about ... - Reddit — reactive:ai-security-nexus
- [51] Cyber Lack of Security and AI Governance — Zvi's AI Roundups (2026-05-13)
- [52] CAISI becomes US AI pre-deployment gate | Kenneth Foster posted ... — reactive:ai-security-nexus
- [53] Pre-Deployment AI Evaluation Moves From China's Model To ... — reactive:ai-deployment-misalignment-risk
- [54] Kicking the Tires: A Voluntary Path to Pre-deployment AI Vetting | Lawfare — reactive:claude-mythos-capability-regulation
- [55] Center for AI Standards and Innovation (CAISI) | NIST — reactive:ai-security-nexus
- [56] GitHub breached via a malicious VS Code extension - Aikido Security — reactive:ai-security-nexus
- [57] The Wild West of VS Code extensions and how a poisoned ... — reactive:ai-security-nexus
- [58] The Trivy Supply Chain Compromise: What Happened and Playbooks to Respond — reactive:ai-security-nexus
- [59] Emerging Supply Chain Attack ("Mini Shai-Hulud") Targeting SAP Cloud Application Programming Ecosystem - Onapsis — reactive:ai-security-nexus
- [60] Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware | Wiz Blog — reactive:ai-security-nexus
- [61] SAP Cloud Build Tool Packaged A Mini Shai-Hulud Malicious Dependency That Uses Bun | Semgrep — reactive:ai-security-nexus
- [62] Mini Shai-Hulud: npm Worm Hits SAP Developer Packages | Blog | Endor Labs — reactive:ai-security-nexus
- [63] Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages ... - Snyk — reactive:ai-security-nexus
- [64] Shai Halud: What is Shai-Hulud? Definition & Explanation of the Self-Replicating npm Worm | Kusari® — reactive:ai-security-nexus
- [65] Mini Shai-Hulud npm Worm: Dissecting a Multi-Vector Supply Chain Attack - Upwind — reactive:ai-security-nexus
- [66] Mini Shai-Hulud: Multi-Ecosystem Developer Supply Chain Attack – Lab Space — reactive:ai-security-nexus
- [67] "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain ... — reactive:ai-security-nexus
- [68] The Shai-Hulud 2.0 npm worm: analysis, and what you need to know | Datadog Security Labs — reactive:ai-security-nexus
- [69] TeamPCP: Cascading Supply Chain Attack on AI/ML Tooling – Lab Space — reactive:ai-security-nexus
- [70] LiteLLM and Telnyx compromised on PyPI: Tracing the TeamPCP ... — reactive:ai-security-nexus
- [71] The Telnyx SDK on PyPI Compromise and the 2026 TeamPCP ... — reactive:ai-security-nexus
- [72] No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and ... — reactive:ai-security-nexus
- [73] Claude Mythos and the AI Autonomous Offensive Threshold — reactive:frontier-ai-cyber-capabilities
- [74] LiteLLM supply chain attack explained - Software Improvement Group — reactive:ai-security-nexus
- [75] "Shai-Hulud" Malware Hits 170+ npm & PyPi Packages - OX Security — reactive:ai-security-nexus
- [76] It's Bigger Than TeamPCP. Open Source Is Under Siege. - YouTube — reactive:ai-security-nexus
- [77] The npm Threat Landscape: Attack Surface and Mitigations ... — reactive:openai-advanced-account-security
- [78] 😺 Microsoft: your company is the AI bottleneck — The Neuron (2026-05-11)
- [79] MCP Tool Poisoning (CVE-2025-54136): A Structural Vulnerability in Agent Context — reactive:ai-security-nexus
- [80] GitHub Breach Linked To Malicious VS Code Extension ... - LinkedIn — reactive:ai-security-nexus
- [81] 170 npm packages compromised in one coordinated supply chain attack — OpenAI, Mistral AI, even the European Commission g... — reactive:ai-security-nexus (2026-05-23)
- [82] RT @IntCyberDigest: ‼️🚨 This is wild. OpenAI just confirmed it got hit in the TanStack npm supply chain attack, and the ... — reactive:ai-security-nexus (2026-05-23)
- [83] The TanStack npm supply chain attack (CVE-2026-45321) is wild. — reactive:ai-security-nexus (2026-05-22)
- [84] GitHub Confirms 3,800-Repo Breach Traced to TanStack npm Supply Chain Worm #cybersecurity #supplychain #GitHub #OpenAI #... — reactive:ai-security-nexus (2026-05-21)
- [85] RT @IntCyberDigest: ‼️🚨 This is wild. OpenAI just confirmed it got hit in the TanStack npm supply chain attack, and the ... — reactive:ai-security-nexus (2026-05-21)
- [86] OpenAI a publié son retour sur l'attaque supply chain TanStack npm. — reactive:ai-security-nexus (2026-05-20)
- [87] 1:10 TanStack/npm Supply Chain Worm Hits 170+ Packages, Reaches OpenAI @tan_stack @tannerlinsley @OpenAI @npm — reactive:ai-security-nexus (2026-05-20)
- [88] هجوم supply chain "Mini Shai-Hulud" من TeamPCP اخترق 170 حزمة npm وPyPI، بينها @tanstack/react-router بـ 12 مليون تحميل... — reactive:ai-security-nexus (2026-05-19)
- [89] Supply chain attacks on npm packages are not a new threat — but watching one hit OpenAI employees via TanStack is a remi... — reactive:ai-security-nexus (2026-05-19)
- [90] GitHub investigates internal repositories breach claimed by TeamPCP — reactive:ai-security-nexus
- [91] OpenAI impose une mise à jour macOS après une attaque supply chain ayant touché TanStack, des paquets npm et plusieurs a... — reactive:ai-security-nexus (2026-05-16)
- [92] OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack via @knolinfos https://t.co/gORBgXYLpY — reactive:ai-security-nexus (2026-05-16)
- [93] 🚨 OPENAI EMPLOYEE DEVICES COMPROMISED — reactive:ai-security-nexus (2026-05-16)
- [94] OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack https://t.co/hyRTbyclv2 — reactive:ai-security-nexus (2026-05-16)
- [95] TeamPCP vende repo Mistral AI dopo attacco TanStack su OpenAI — reactive:ai-security-nexus (2026-05-18)
- [96] TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai ... — reactive:ai-security-nexus
- [97] Hackers Put Mistral AI Source Code Up for Sale After Supply Chain Attack — reactive:ai-security-nexus
- [98] TeamPCP Claims Sale of Internal Mistral AI Repositories Amid Mini ... — reactive:ai-security-nexus
- [99] Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages — reactive:ai-security-nexus
- [100] TeamPCP Targets Telnyx Package in Latest Software Supply Chain Attack - Infosecurity Magazine — reactive:ai-security-nexus
- [101] Mistral AI among npm, PyPI packages hit by Mini Shai Hulud — reactive:ai-security-nexus
- [102] NVD - CVE-2026-33634 — reactive:ai-security-nexus
- [103] LiteLLM Supply Chain Attack: What Happened and How to Respond — reactive:ai-security-nexus
- [104] Trivy and LiteLLM Supply Chain Incident (CVE-2026-33634) Update — reactive:ai-security-nexus
- [105] Security Update: Suspected Supply Chain Incident | liteLLM — reactive:ai-security-nexus
- [106] CVE-2026-33634 - CVE Record — reactive:ai-security-nexus
- [107] Endor Patches | CVE-2026-33634, Trivy ecosystem supply chain was briefly compromised — reactive:ai-security-nexus
- [108] Trivy ecosystem supply chain was briefly compromised | GitLab Advisory Database (GLAD) — reactive:ai-security-nexus
- [109] Trivy ecosystem supply chain temporarily compromised · Advisory · aquasecurity/trivy · GitHub — reactive:ai-security-nexus
- [110] Mini Shai-Hulud Targets SAP npm Packages - Upwind Security — reactive:ai-security-nexus