The Information Machine

AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment · history

Version 9

2026-05-25 08:42 UTC · 234 items

What

The Mini Shai-Hulud supply chain campaign — launched May 11, 2026 by threat actor TeamPCP — has now been linked to a compromise of the axios npm package, one of the most downloaded JavaScript libraries in history, with Huntress documenting the incident as 'the ultimate supply chain scaries' [19]. Snyk has published a dedicated analysis of the TanStack npm package compromise [15], reinforcing how the campaign exploited one of the JavaScript ecosystem's highest-traffic packages (518 million downloads) using a stolen code-signing certificate [17]. Social media and press amplification — including WIRED framing GitHub as 'just the latest victim' of TeamPCP [18] and Facebook community discussion of the Qix phishing origin [14] — signals the story has crossed into mainstream security awareness. The campaign's total confirmed footprint spans 170+ compromised packages, 1,000+ SaaS environments, 30 EU institutions, and now potentially axios.

Why it matters

If the axios npm compromise is confirmed as part of Mini Shai-Hulud, the campaign's reach expands from AI developer toolchains and enterprise SAP ecosystems into the general JavaScript dependency graph — axios is a transitive dependency for hundreds of millions of projects, meaning passive exposure could dwarf all previously quantified figures. The campaign's origin in a single phishing attack against one maintainer, now propagating through packages touching virtually every Node.js application, illustrates how a single credential compromise can cascade into systemic infrastructure risk across the entire open-source ecosystem.

Open questions

  • Is the axios npm compromise documented by Huntress [19] confirmed as part of the Mini Shai-Hulud campaign, or a separate incident? If confirmed, how does it change the exposure estimate beyond Mandiant's 1,000+ SaaS environments figure?

  • Has the Qix npm account been fully secured, and what other packages does Qix maintain that may have been affected or remain at risk following the phishing compromise? [13][14]

  • Does TanStack's official postmortem [20] identify compromise vectors or downstream exposure beyond what Snyk's dedicated TanStack analysis [15] documents, and does it address the certificate theft that affected OpenAI?

  • AuthMind frames Anthropic's decision to withhold Mythos as a significant policy signal [33] — will Anthropic issue formal guidance on its deployment criteria for frontier models with demonstrated offensive cyber capability, and does CAISI require evaluation of withheld models?

Narrative

The Mini Shai-Hulud supply chain campaign, launched by the threat actor TeamPCP on May 11, 2026, began as a self-spreading worm across npm and PyPI that compromised more than 170 packages — including TanStack, LiteLLM, Guardrails AI, and Telnyx — reaching two OpenAI employee devices and exfiltrating code-signing certificates that triggered a mandatory rotation deadline of June 12, 2026 for OpenAI's iOS, macOS, and Windows applications [1][2][3]. GitHub confirmed that approximately 3,800–4,000 of its internal repositories were stolen via a poisoned VS Code extension (Nx Console version 18.95.0), with Forbes reporting a $50,000 ransom demand from TeamPCP [4][5][6]. CVE-2026-33634 (CVSS 9.4) was formally assigned and added to CISA's Known Exploited Vulnerabilities catalog [7][8], and Broadcom confirmed downstream exposure in Tanzu Application Platform and Spring Enterprise through the Trivy container-security scanner compromise [9]. Mandiant quantified total campaign impact at more than 1,000 compromised SaaS environments [10], and CERT-EU confirmed the European Commission's cloud infrastructure was breached via the same Trivy supply chain vector, exposing data across 30 EU institutions [11][12].

The campaign's origin has been traced by Socket.dev to a phishing attack targeting npm package author 'Qix,' whose compromised credentials provided the initial ecosystem foothold for worm propagation [13] — a finding amplified across Facebook developer communities [14] and reframing the campaign from a purely technical worm-propagation event to one with a social engineering origin. Snyk has published a dedicated analysis of the TanStack npm package compromise [15], adding to its earlier identification of a 'Bun-based stealer' as the specific malware component in the SAP Cloud Application Programming (CAP) ecosystem segment [16]. A YouTube video highlighting TanStack's 518-million-download scale [17] and WIRED's framing of GitHub as 'just the latest victim' of TeamPCP [18] signal that the campaign's scope has registered in mainstream security awareness. The most significant potential expansion is Huntress's documentation of an axios npm compromise [19] — axios is among the most downloaded JavaScript libraries in existence and a transitive dependency for hundreds of millions of projects, meaning confirmed inclusion in the Mini Shai-Hulud campaign would materially expand exposure estimates beyond any previously published figure. TanStack has also published an official postmortem providing a first-party account of the compromise [20], while Pathlock and SecurityBridge have contributed SAP-specific workflow analyses [21][22].

The Cloud Security Alliance characterized the campaign as a two-wave operation named 'Shai-Hulud/Megalodon,' distinguishing the initial AI developer toolchain wave from a subsequent AntV data visualization ecosystem attack involving 600+ malicious npm packages that used a novel technique to fake Sigstore security verification badges [23][24] — a trust-signal compromise that neither the Sigstore project nor the npm registry has publicly addressed. CSO Online reports that Lapsus$ has joined the extortion wave targeting campaign victims [25], while VECERTRadar characterizes the Sportradar breach as a 'Systemic Compromise and Asset Sale,' indicating active monetization of stolen access [26]. RedRays frames the SAP npm hijacking as deliberately designed to weaponize AI coding agents by injecting malicious packages into the dependency trees those tools automatically install [27], while Mend.io's claim that the SAP segment ran 'via Claude Code' [28] remains unverified and without Anthropic response.

The AI governance dimension centers on AISI's official evaluation of Claude Mythos Preview, which autonomously completed both UK offensive cyber ranges including a 32-step scenario — the first AI system to do so [29][30]. The Turing Institute's CETAS has published a dedicated assessment of what this capability threshold means for cybersecurity's future [31], and AuthMind specifically examines the implications of Anthropic withholding Mythos from public deployment — arguing that a lab's choice to retain its most capable model in reserve is itself a significant policy signal, and raises questions about whether voluntary frameworks like CAISI, which the Foundation for American Innovation has defended as a pragmatic first step [32], evaluate a curated rather than frontier subset of AI capability [33]. NIST's CAISI formalization as the US pre-deployment compliance gate was confirmed through expanded safety-testing agreements with Google, Microsoft, and xAI [34].

Timeline

  • 2026-05-05: US Department of Commerce finalizes expanded AI safety-testing agreements with Google, Microsoft, and xAI through NIST's CAISI; Politico reports on federal pre-deployment AI vetting formalization [34][114]
  • 2026-05-11: TeamPCP launches Mini Shai-Hulud campaign via self-spreading worm; 160+ npm and PyPI packages compromised including TanStack; two OpenAI employee devices hit, code-signing certificates exfiltrated [1][2][3]
  • 2026-05-11: Security researchers confirm tool poisoning attacks work silently against Claude, ChatGPT, Cursor, and other major AI assistants [115]
  • 2026-05-13: OpenAI publishes incident response disclosure; mandates app certificate rotation by June 12, 2026; Zvi Mowshowitz and AISI publish analyses characterizing Claude Mythos Preview's autonomous clearance of UK offensive cyber ranges as a genuine AI capability threshold [1][61][30]
  • 2026-05-16: Broad security community coverage amplifies OpenAI/TanStack disclosure; BleepingComputer and The Cyber Express reach mainstream security audiences; users urged to update macOS apps before June 12 certificate revocation deadline [42][116][117][118][119][46][45]
  • 2026-05-18: Reports emerge that TeamPCP targeted Mistral AI and is selling access to Mistral AI's internal source code repositories [120][121][122][123]
  • 2026-05-19: LiteLLM, Telnyx, and Guardrails AI identified as additional compromised packages; campaign scope confirmed at 160+ packages across npm and PyPI; CVE-2026-33634 formally assigned with CVSS 9.4 critical severity rating [124][7][79][125][126]
  • 2026-05-20: GitHub confirms TeamPCP breach of approximately 3,800–4,000 internal repositories via Nx Console version 18.95.0; Forbes reports TeamPCP demanded $50,000 ransom from GitHub; multiple security vendors publish independent analyses [4][35][5][36][64][65][37][38][39][72][6][78][79][80][81]
  • 2026-05-21: CVE-2026-33634 scope expanded to include Trivy container-security scanner; LiteLLM publishes official security update; GitLab Advisory Database and Aqua Security publish formal Trivy advisory; LegitSecurity publishes incident response playbooks [127][128][129][130][131][132][133][134][66]
  • 2026-05-22: Mini Shai-Hulud confirmed targeting SAP npm packages; Unit 42 and Datadog Security Labs publish 'Shai-Hulud 2.0' analysis; CISA adds CVE-2026-33634 to Known Exploited Vulnerabilities catalog; Broadcom issues impact assessment for Tanzu Application Platform and Spring Enterprise [73][74][75][76][77][135][8][9]
  • 2026-05-23: AntV ecosystem attack confirmed with 600+ malicious npm packages faking Sigstore badges; Semgrep identifies worm revival via compromised maintainer; IBM X-Force, Orca Security, ThreatLocker, StepSecurity, Microsoft Security Blog, and Chainguard publish independent AntV analyses; Mend.io and RedRays publish analyses framing SAP attack as weaponizing AI coding agents; CSA characterizes campaign as two-wave 'Shai-Hulud/Megalodon' [24][83][84][85][86][87][88][89][28][27][23][93][91]
  • 2026-05-24: CERT-EU officially confirms European Commission cloud breach via Trivy supply chain exposed data across 30 EU institutions; Mandiant quantifies total campaign at 1,000+ compromised SaaS environments; Sportradar named as additional victim; CSO Online reports Lapsus$ has joined extortion wave; VECERTRadar characterizes Sportradar incident as 'Systemic Compromise and Asset Sale'; Socket.dev and SecurityBridge publish detailed SAP CAP npm package analyses [10][49][11][12][6][25][26][50][48][22][62][40][41][98]
  • 2026-05-25: Socket.dev identifies phishing attack on npm author 'Qix' as initial access vector; TanStack publishes official supply chain compromise postmortem; Snyk publishes dedicated TanStack npm analysis and identifies 'Bun-based stealer' in SAP CAP packages; Huntress documents axios npm compromise; Turing Institute CETAS and AuthMind publish institutional analyses of Claude Mythos governance implications; Foundation for American Innovation publishes analysis of CAISI framework; mainstream amplification via WIRED, YouTube, and Facebook developer communities [13][20][15][16][19][21][31][33][32][63][47][99][14][17][18]

Perspectives

Huntress

Documents an axios npm compromise as part of the Mini Shai-Hulud campaign wave, characterizing it as emblematic of 'ultimate supply chain scaries' — implying axios's near-universal presence in JavaScript projects makes its compromise categorically more severe than prior named victims

Evolution: New voice in this synthesis; the axios-specific finding is the most significant potential scope expansion since Mandiant's 1,000+ SaaS environments figure

Snyk

Has published both a dedicated analysis of the TanStack npm package compromise and identified the 'Bun-based stealer' as the specific malware component in the SAP CAP segment — making Snyk the most technically granular public voice across multiple campaign fronts

Evolution: Expanded from the Bun-based stealer finding (prior pass) to include a dedicated TanStack analysis, deepening Snyk's coverage across both the AI toolchain and enterprise segments of the campaign

TanStack

Published an official postmortem on the npm supply chain compromise, providing a first-party account of how TanStack packages were compromised and what remediation steps were taken

Evolution: Consistent with prior pass; mainstream amplification via YouTube (518 million downloads framing) has extended public awareness of TanStack's role as a high-traffic victim

GitHub

Confirmed the breach via Nx Console version 18.95.0, maintained that customer data was unaffected, and framed the incident as limited in customer impact while acknowledging the theft of approximately 3,800–4,000 internal repositories

Evolution: WIRED's framing of GitHub as 'just the latest victim' of TeamPCP [18] further contextualizes the breach as part of a serial campaign rather than an isolated incident, sitting in tension with GitHub's limited-impact framing

OpenAI

Transparency and swift containment: limited blast radius, no customer data or production systems compromised, framing the incident as an industry-wide supply chain threat rather than an OpenAI-specific failure; certificate rotation deadline of June 12 is the actionable user requirement

Evolution: Consistent; the potential axios compromise, if confirmed as part of Mini Shai-Hulud, would further challenge the 'limited blast radius' framing for the campaign as a whole

Socket.dev

The Mini Shai-Hulud campaign's initial access vector was a phishing attack targeting npm author 'Qix,' whose compromised credentials seeded the broader supply chain worm; detailed technical analyses of TanStack and SAP CAP packages document the propagation mechanism

Evolution: Consistent with prior pass; the Qix phishing finding continues to circulate in developer communities via social media amplification

WIRED

TeamPCP is a serial threat actor for which GitHub is 'just the latest victim' — framing the campaign as a pattern of targeted enterprise compromise rather than opportunistic worm propagation

Evolution: New named voice in this synthesis; WIRED's framing adds authoritative mainstream press weight to the serial-campaign characterization

CERT-EU

Official confirmation that the European Commission's cloud infrastructure was breached through the Trivy supply chain compromise, with data exposed across 30 EU institutions — establishing that supply chain DevSecOps vulnerabilities translate directly into government IT compromise

Evolution: Consistent

Mandiant

The total TeamPCP campaign has compromised more than 1,000 SaaS environments — a scale figure that reframes Mini Shai-Hulud from a targeted AI-ecosystem incident to one of the most broadly distributed enterprise supply chain compromises on record

Evolution: Consistent; the potential axios compromise, if confirmed, would challenge even this figure as an undercount

Lapsus$

CSO Online reports Lapsus$ has joined the extortion wave targeting the campaign's supply chain victims — introducing a second well-resourced threat actor with a history of aggressive public data leaks and extortion against major enterprises

Evolution: Consistent with prior pass; specific relationship to TeamPCP remains unestablished

VECERTRadar / threat intelligence community on Sportradar

The Sportradar breach constitutes a 'Systemic Compromise and Asset Sale,' with stolen assets being actively marketed — suggesting monetization is in progress, not merely threatened

Evolution: Consistent with prior pass

RedRays

The SAP npm hijacking was specifically designed to weaponize AI coding agents by injecting malicious packages into the dependency trees that those tools automatically install and execute, redirecting agent behavior toward cloud credential theft and worm propagation

Evolution: Consistent

Mend.io

The SAP CAP segment of the supply chain attack ran 'via Claude Code,' implicating Anthropic's AI coding assistant as a vector or surface in the attack

Evolution: Consistent; no Anthropic response has emerged

AISI (UK AI Safety Institute)

Claude Mythos Preview represents a genuine capability threshold — the first AI system to autonomously complete both AISI end-to-end offensive cyber ranges including a 32-step scenario — and the rate at which autonomous AI cyber capability is advancing warrants serious institutional attention

Evolution: Consistent

AuthMind

Anthropic's decision to withhold Claude Mythos from public deployment is itself a significant policy signal — a lab that retains its most capable model in reserve implicitly acknowledges that those capabilities exceed what it is willing to release, which has direct implications for how voluntary pre-deployment frameworks evaluate frontier AI offensive risk

Evolution: Consistent with prior pass

Turing Institute CETAS

The Claude Mythos capability threshold requires serious institutional analysis of what AI systems that can autonomously complete offensive cyber tasks mean for the future of cybersecurity — framing the Mythos development as a structural shift in the threat landscape rather than an incremental capability improvement

Evolution: Consistent with prior pass

Foundation for American Innovation

CAISI's voluntary pre-deployment vetting framework represents a pragmatic and achievable first step toward structured federal oversight of frontier AI capabilities — framing voluntary industry participation positively against more prescriptive alternatives

Evolution: Consistent with prior pass

Skeptics of Mythos evaluation (cybersecurity commentators)

The AISI evaluation methodology is inconsistent or overstated; the Mythos system card is methodologically problematic; the 'autonomous offensive threshold' framing may not accurately represent the difficulty or controlled conditions of the evaluated tasks

Evolution: Consistent

Zvi Mowshowitz

Genuinely alarmed by Mythos as a capability threshold requiring a rethink of deployment security cadences; critical of both Commerce-dominated (CAISI) and intelligence-dominated governance proposals as politically captured and insufficiently generalized beyond cybersecurity

Evolution: Consistent

SAP security community (SecurityBridge, Socket.dev, StepSecurity, Pathlock, Snyk)

The Mini Shai-Hulud campaign's penetration of the SAP npm ecosystem is credible and technically documented; the attack mechanism involves specific SAP CAP and Cloud MT packages consistent with the broader campaign's worm-propagation architecture; the Bun-based stealer represents a specific and novel malware technique within that architecture

Evolution: Consistent; Snyk's dedicated TanStack analysis further demonstrates the vendor's depth of coverage across multiple campaign fronts

Institutional security research community (CSA, Unit 42, Datadog, Akamai, ReversingLabs, GitGuardian, WIRED, Snyk, Onapsis, Wiz, Endor Labs, StepSecurity, Varonis, BleepingComputer, LegitSecurity, Semgrep, IBM X-Force, Orca Security, ThreatLocker, Chainguard, Phoenix Security, Software Improvement Group, Runtime.news, OX Security, Cyber Unit, DevOps.com, Huntress)

TeamPCP is the defining supply chain security event of 2026; the Qix phishing origin story reframes the campaign's initial access model; the Bun-based stealer adds a documented malware component; the fake Sigstore badge technique compromises a key trust signal; the axios compromise, if confirmed, would represent the campaign's most consequential package-level victim; the AI coding agent weaponization mechanism requires a materially different defensive response than traditional package poisoning

Evolution: Huntress added as a new institutional voice with the axios npm compromise finding; YouTube video amplification signals mainstream security audience crossover

Broad security community (social media and press amplifiers)

The campaign is mainstream news: GitHub is 'just the latest victim' of TeamPCP; TanStack's 518-million-download scale underscores the campaign's reach; the Qix phishing origin is circulating in developer communities; the axios compromise adds another iconic package to the victim list

Evolution: Mainstream press crossover is now confirmed with WIRED's Threads post, a YouTube video on TanStack's scale, and Facebook developer community discussion of the Qix phishing attack — the campaign has moved from security specialist coverage to general technology press

Tensions

  • GitHub's official 'customer data unaffected' and 'limited impact' framing sits in tension with both the scope of 3,800–4,000 internal repositories stolen, TeamPCP's $50,000 extortion demand, and WIRED's characterization of GitHub as 'just the latest victim' in a serial campaign — the serial framing implies systematic targeting rather than opportunistic compromise, which is inconsistent with GitHub's incident-specific containment narrative [37][38][39][72][35][6][18]
  • AISI's official evaluation frames Claude Mythos Preview as reaching an 'autonomous offensive threshold' warranting serious institutional attention; the Turing Institute's CETAS adds academic weight to this framing; while independent cybersecurity commentators have questioned the evaluation methodology and system card consistency — a debate about whether the milestone is accurately characterized or inflated [29][30][82][59][60][31][58]
  • RedRays frames the SAP attack as deliberately weaponizing AI coding agents through a dependency injection mechanism, while Mend.io's 'via Claude Code' framing implies Anthropic's specific tool was implicated — the two analyses are consistent at the mechanism level but diverge on specificity; Snyk's Bun-based stealer detail and Socket.dev's SAP CAP analysis add technical depth without resolving the Claude Code attribution, and Anthropic has issued no response [27][28][51][91][48][22][16][15]
  • The CAISI voluntary pre-deployment framework (defended by the Foundation for American Innovation as a pragmatic first step) sits in tension with Zvi Mowshowitz's critique that governance anchored in cybersecurity is politically captured — and AuthMind's 'withheld model' framing adds a third dimension: if labs withhold their most capable systems, voluntary frameworks may evaluate a curated rather than frontier subset of AI capability, leaving the most dangerous systems outside public audit [34][113][61][32][33]
  • Standard supply chain remediation guidance focuses on package registries (npm, PyPI, Docker Hub), but the VS Code extension attack vector, the AI coding agent weaponization mechanism, the Qix phishing origin story, and the potential axios compromise collectively demonstrate that the attack surface extends to individual maintainer credential security, developer machine environments, and the most universally depended-upon packages — surfaces for which no standardized remediation guidance has yet emerged [4][5][36][27][91][80][81][40][41][13][19]
  • OpenAI frames the TanStack incident as an industry-wide supply chain shift with limited blast radius, but CERT-EU's confirmation of 30 EU institutions' exposure, Mandiant's 1,000+ SaaS environments figure, Lapsus$'s reported entry into the extortion wave, and the potential axios compromise suggest downstream exposure substantially wider than OpenAI's framing implied [1][11][12][10][71][37][25][19]
  • The AntV attack's use of fake Sigstore security verification badges means that npm provenance attestation — one of the primary trust signals supply chain security guidance recommends — cannot be relied upon to detect this campaign, creating a gap between the remediation advice being given and the actual evasion capabilities demonstrated by the attacker; neither the Sigstore project nor the npm registry has issued a public response [24][83][84]
  • CSO Online reports Lapsus$ has joined the extortion wave, but the relationship between Lapsus$ and TeamPCP — whether collaboration, independent exploitation of the same victim pool, or coincidental targeting — has not been established, creating uncertainty about whether victims face one organized campaign or two distinct threat actors with different motivations and negotiating postures [25][26][50]

Sources

  1. [1] Our response to the TanStack npm supply chain attack — OpenAI Blog (2026-05-13)
  2. [2] Mini Shai-Hulud: TeamPCP compromette 160+ pacchetti npm e PyPI in un supply chain attack che ha colpito TanStack, Mistra... — reactive:ai-security-nexus (2026-05-19)
  3. [3] A Self-Spreading Supply Chain Attack Compromises TanStack npm ... — reactive:ai-security-nexus
  4. [4] Nx Console 18.95.0 Incident: How TeamPCP Breached GitHub — reactive:ai-security-nexus
  5. [5] Nx Console VS Code Extension Compromised - StepSecurity — reactive:ai-security-nexus
  6. [6] GitHub Says 3,800 Repositories Breached—TeamPCP Hackers ... — reactive:ai-security-nexus
  7. [7] GitHub - ugurrates/teampcp-supply-chain-attack: CVE-2026-33634 (CVSS 9.4) — The most impactful CI/CD supply chain attack of 2026 so far. · GitHub — reactive:ai-security-nexus
  8. [8] CISA Adds Trivy CVE-2026-33634 to KEV: Patch Supply Chain Risk ... — reactive:ai-security-nexus
  9. [9] Impact Assessment: Aqua Security Trivy Supply Chain Compromise (CVE-2026-33634) on Tanzu Application Platform and Spring Enterprise — reactive:ai-security-nexus
  10. [10] TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments — reactive:ai-security-nexus
  11. [11] European Commission cloud breach: a supply-chain compromise — reactive:ai-security-nexus
  12. [12] European Commission breach exposed data of 30 EU entities ... — reactive:ai-security-nexus
  13. [13] npm Author Qix Compromised via Phishing Email in Major Suppl... — reactive:ai-security-nexus
  14. [14] #npm Author Qix Compromised via Phishing Email in Major Supply ... — reactive:ai-security-nexus
  15. [15] TanStack npm Packages Hit by Mini Shai-Hulud | Snyk — reactive:ai-offensive-cybersecurity
  16. [16] Bun-Based Stealer Hits SAP CAP npm Packages | Snyk — reactive:ai-security-nexus
  17. [17] They Hit TanStack. 518 Million Downloads. And the Security Cert Was Real. — reactive:ai-security-nexus
  18. [18] GitHub is just the latest victim of TeamPCP, a gang that has ... — reactive:ai-security-nexus
  19. [19] axios npm Compromise: The Ultimate Supply Chain Scaries — reactive:openai-advanced-account-security
  20. [20] Postmortem: TanStack npm supply-chain compromise — reactive:ai-security-nexus
  21. [21] SAP npm Supply Chain Incident | CAP & MTA Build Workflows — reactive:ai-security-nexus
  22. [22] Mini Shai-Hulud: npm Supply Chain reaches into SAP security! — reactive:ai-security-nexus
  23. [23] Shai-Hulud/Megalodon: A Two-Wave AI Developer Supply Chain ... — reactive:ai-offensive-cybersecurity
  24. [24] Mini Shai-Hulud Returns: 600+Malicious npm Packages Fake Sigstore Badges in AntV Ecosystem Attack — reactive:ai-security-nexus
  25. [25] Trivy supply chain breach compromises over 1,000 SaaS environments, Lapsus$ joins the extortion wave | CSO Online — reactive:ai-security-nexus
  26. [26] CRITICAL ALERT: Sportradar Systemic Compromise and Asset Sale ... — reactive:ai-security-nexus
  27. [27] SAP npm Packages Hijacked to Steal Cloud Credentials and Weaponize AI Coding Agents — reactive:ai-security-nexus
  28. [28] Shai Hulud: SAP CAP Supply Chain Attack Via Claude Code — reactive:ai-security-nexus
  29. [29] Our evaluation of Claude Mythos Preview's cyber capabilities — reactive:frontier-ai-cyber-capabilities
  30. [30] How fast is autonomous AI cyber capability advancing? — reactive:ai-offensive-cyber (2026-05-13)
  31. [31] Claude Mythos: What Does Anthropic's New Model Mean for the ... — reactive:ai-security-nexus
  32. [32] Kicking the Tires: A Voluntary Path to Pre-Deployment AI Vetting | The Foundation for American Innovation — reactive:ai-security-nexus
  33. [33] When a Lab Withholds Its Best Model: What the Claude Mythos System Card Signals for Cybersecurity — reactive:ai-security-nexus
  34. [34] US government expands vetting of frontier AI models for security risks — reactive:ai-security-nexus
  35. [35] GitHub Breach via Malicious VS Code Extension: What You Need to ... — reactive:ai-security-nexus
  36. [36] GitHub confirms breach of 3,800 repos via malicious VSCode ... — reactive:ai-security-nexus
  37. [37] GitHub confirms being hacked by TeamPCP, says customer data ... — reactive:ai-security-nexus
  38. [38] GitHub admits major source code leak after 3800 internal ... - InfoWorld — reactive:ai-security-nexus
  39. [39] GitHub Confirms Breach, 4K Internal Repos Stolen - Dark Reading — reactive:ai-security-nexus
  40. [40] GitHub Breach, May 2026: What the TeamPCP VS Code Extension Attack Means for Canadian and US SMBs | Cyber Unit — reactive:ai-security-nexus
  41. [41] GitHub Breach Tied to Malicious VS Code Extension Exposes Thousands of Internal Repositories — reactive:ai-security-nexus
  42. [42] OpenAI caught NPM supply chain chaos after employeedevices compromised — reactive:ai-security-nexus (2026-05-16)
  43. [43] OpenAI asks macOS users to update after TanStack npm ... — reactive:ai-security-nexus
  44. [44] TanStack Supply Chain Attack Hits Two OpenAI Employee Devices ... — reactive:ai-security-nexus
  45. [45] OpenAI confirms security breach in TanStack supply chain attack — reactive:ai-security-nexus
  46. [46] TanStack npm Supply Chain Attack Prompts OpenAI Updates — reactive:ai-security-nexus
  47. [47] TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud... — reactive:ai-security-nexus
  48. [48] TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MT... — reactive:ai-security-nexus
  49. [49] Security breach at European Commission impacts 30 EU institutions | DigitalShield — reactive:ai-security-nexus
  50. [50] Sportradar Data Breach in 2026 - Breachsense — reactive:ai-security-nexus
  51. [51] Mend.io's Post - LinkedIn — reactive:ai-security-nexus
  52. [52] AISI: Claude Mythos First AI to Solve 32-Step Cyber Attack Range — reactive:ai-security-nexus
  53. [53] New Claude Mythos becomes the first AI model to clear all cyberattack simulations from Britain's AI safety agency — reactive:ai-security-nexus
  54. [54] Here’s how cyber heavyweights in the US and UK are dealing with Claude Mythos | CyberScoop — reactive:ai-security-nexus
  55. [55] Claude Mythos Preview Completes Cyber Range End-to-End — reactive:ai-security-nexus
  56. [56] We conducted cyber evaluations of Claude Mythos Preview and ... — reactive:ai-security-nexus
  57. [57] Claude Mythos Preview becomes the first model to solve both of the ... — reactive:ai-security-nexus
  58. [58] Claude Mythos Preview: Analysis of Anthropic's Public Announcement — LessWrong — reactive:ai-deployment-misalignment-risk
  59. [59] Anthropic's Mythos Claims Questioned by Cybersecurity Insider — reactive:frontier-ai-cyber-capabilities
  60. [60] Why Claude Mythos system card is a mess - Part 3, about ... - Reddit — reactive:ai-security-nexus
  61. [61] Cyber Lack of Security and AI Governance — Zvi's AI Roundups (2026-05-13)
  62. [62] Compromised SAP Packages Flagged by StepSecurity - LinkedIn — reactive:ai-security-nexus
  63. [63] SAP CAP Ecosystem Hacked via npm Packages - LinkedIn — reactive:ai-security-nexus
  64. [64] GitHub breached via a malicious VS Code extension - Aikido Security — reactive:ai-security-nexus
  65. [65] The Wild West of VS Code extensions and how a poisoned ... — reactive:ai-security-nexus
  66. [66] The Trivy Supply Chain Compromise: What Happened and Playbooks to Respond — reactive:ai-security-nexus
  67. [67] Emerging Supply Chain Attack ("Mini Shai-Hulud") Targeting SAP Cloud Application Programming Ecosystem - Onapsis — reactive:ai-security-nexus
  68. [68] Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware | Wiz Blog — reactive:ai-security-nexus
  69. [69] SAP Cloud Build Tool Packaged A Mini Shai-Hulud Malicious Dependency That Uses Bun | Semgrep — reactive:ai-security-nexus
  70. [70] Mini Shai-Hulud: npm Worm Hits SAP Developer Packages | Blog | Endor Labs — reactive:ai-security-nexus
  71. [71] Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages ... - Snyk — reactive:ai-security-nexus
  72. [72] A Hacker Group Is Poisoning Open Source Code at an ... - WIRED — reactive:ai-security-nexus
  73. [73] Shai Halud: What is Shai-Hulud? Definition & Explanation of the Self-Replicating npm Worm | Kusari® — reactive:ai-security-nexus
  74. [74] Mini Shai-Hulud npm Worm: Dissecting a Multi-Vector Supply Chain Attack - Upwind — reactive:ai-security-nexus
  75. [75] Mini Shai-Hulud: Multi-Ecosystem Developer Supply Chain Attack – Lab Space — reactive:ai-security-nexus
  76. [76] "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain ... — reactive:ai-security-nexus
  77. [77] The Shai-Hulud 2.0 npm worm: analysis, and what you need to know | Datadog Security Labs — reactive:ai-security-nexus
  78. [78] TeamPCP: Cascading Supply Chain Attack on AI/ML Tooling – Lab Space — reactive:ai-security-nexus
  79. [79] LiteLLM and Telnyx compromised on PyPI: Tracing the TeamPCP ... — reactive:ai-security-nexus
  80. [80] The Telnyx SDK on PyPI Compromise and the 2026 TeamPCP ... — reactive:ai-security-nexus
  81. [81] No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and ... — reactive:ai-security-nexus
  82. [82] Claude Mythos and the AI Autonomous Offensive Threshold — reactive:frontier-ai-cyber-capabilities
  83. [83] Mini Shai-Hulud npm Attack: AntV Ecosystem Compromise (May 2026) | Chainguard — reactive:ai-security-nexus
  84. [84] Mini Shai-Hulud Resurfaces; Compromised Maintainer of antv, timeago, and size-sensor Packages Revives Worm Activity | Semgrep — reactive:ai-security-nexus
  85. [85] IBM X-Force OSINT Advisory Mini Shai-Hulud Hits AntV: 300+ ... — reactive:ai-security-nexus
  86. [86] npm Supply Chain Attack Compromises AntV | Orca Security — reactive:ai-security-nexus
  87. [87] Reverse Shai-Hulud: Supply chain compromise impacts @antv packages — reactive:ai-security-nexus
  88. [88] Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem - StepSecurity — reactive:ai-security-nexus
  89. [89] Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft | Microsoft Security Blog — reactive:ai-security-nexus
  90. [90] TeamPCP / Mini Shai-Hulud npm Campaign: 600 Packages, Confirmed Active Payload, Memory Scraping, and 2,500+ Compromised GitHub Repositories - Phoenix Security — reactive:ai-security-nexus
  91. [91] When supply-chain attacks meet coding agents, look out — reactive:ai-coding-cpu-demand-surge
  92. [92] LiteLLM supply chain attack explained - Software Improvement Group — reactive:ai-security-nexus
  93. [93] A Practitioner’s Guide to Responding to the TeamPCP Supply Chain Attacks | Ebook/Report | Endor Labs — reactive:ai-security-nexus
  94. [94] "Shai-Hulud" Malware Hits 170+ npm & PyPi Packages - OX Security — reactive:ai-security-nexus
  95. [95] It's Bigger Than TeamPCP. Open Source Is Under Siege. - YouTube — reactive:ai-security-nexus
  96. [96] TeamPCP's Multi-Stage Supply Chain Attack on Security Infrastructure — reactive:ai-offensive-cyber
  97. [97] The npm Threat Landscape: Attack Surface and Mitigations ... — reactive:openai-advanced-account-security
  98. [98] A Technical Write Up on the Trivy Supply Chain Attack - Reddit — reactive:ai-security-nexus
  99. [99] Mini Shai-Hulud Escalates: AI Packages and GitHub Targeted – Lab Space — reactive:ai-security-nexus
  100. [100] GitHub Breach Linked To Malicious VS Code Extension ... - LinkedIn — reactive:ai-security-nexus
  101. [101] 170 npm packages compromised in one coordinated supply chain attack — OpenAI, Mistral AI, even the European Commission g... — reactive:ai-security-nexus (2026-05-23)
  102. [102] RT @IntCyberDigest: ‼️🚨 This is wild. OpenAI just confirmed it got hit in the TanStack npm supply chain attack, and the ... — reactive:ai-security-nexus (2026-05-23)
  103. [103] The TanStack npm supply chain attack (CVE-2026-45321) is wild. — reactive:ai-security-nexus (2026-05-22)
  104. [104] GitHub Confirms 3,800-Repo Breach Traced to TanStack npm Supply Chain Worm #cybersecurity #supplychain #GitHub #OpenAI #... — reactive:ai-security-nexus (2026-05-21)
  105. [105] RT @IntCyberDigest: ‼️🚨 This is wild. OpenAI just confirmed it got hit in the TanStack npm supply chain attack, and the ... — reactive:ai-security-nexus (2026-05-21)
  106. [106] OpenAI a publié son retour sur l'attaque supply chain TanStack npm. — reactive:ai-security-nexus (2026-05-20)
  107. [107] 1:10 TanStack/npm Supply Chain Worm Hits 170+ Packages, Reaches OpenAI @tan_stack @tannerlinsley @OpenAI @npm — reactive:ai-security-nexus (2026-05-20)
  108. [108] هجوم supply chain "‌Mini Shai-Hulud" من TeamPCP اخترق 170 حزمة npm وPyPI، بينها @tanstack/react-router بـ 12 مليون تحميل... — reactive:ai-security-nexus (2026-05-19)
  109. [109] Supply chain attacks on npm packages are not a new threat — but watching one hit OpenAI employees via TanStack is a remi... — reactive:ai-security-nexus (2026-05-19)
  110. [110] A threat actor identified with the TeamPCP alias is claiming to offer ... — reactive:ai-security-nexus
  111. [111] GitHub investigates internal repositories breach claimed by TeamPCP — reactive:ai-security-nexus
  112. [112] OpenAI Confirms TanStack npm Security Breach - LinkedIn — reactive:ai-security-nexus
  113. [113] Kicking the Tires: A Voluntary Path to Pre-deployment AI Vetting | Lawfare — reactive:claude-mythos-capability-regulation
  114. [114] Pre-Deployment AI Evaluation Moves From China's Model To ... — reactive:ai-deployment-misalignment-risk
  115. [115] 😺 Microsoft: your company is the AI bottleneck — The Neuron (2026-05-11)
  116. [116] OpenAI impose une mise à jour macOS après une attaque supply chain ayant touché TanStack, des paquets npm et plusieurs a... — reactive:ai-security-nexus (2026-05-16)
  117. [117] OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack via @knolinfos https://t.co/gORBgXYLpY — reactive:ai-security-nexus (2026-05-16)
  118. [118] 🚨 OPENAI EMPLOYEE DEVICES COMPROMISED — reactive:ai-security-nexus (2026-05-16)
  119. [119] OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack https://t.co/hyRTbyclv2 — reactive:ai-security-nexus (2026-05-16)
  120. [120] TeamPCP vende repo Mistral AI dopo attacco TanStack su OpenAI — reactive:ai-security-nexus (2026-05-18)
  121. [121] TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai ... — reactive:ai-security-nexus
  122. [122] Hackers Put Mistral AI Source Code Up for Sale After Supply Chain Attack — reactive:ai-security-nexus
  123. [123] TeamPCP Claims Sale of Internal Mistral AI Repositories Amid Mini ... — reactive:ai-security-nexus
  124. [124] Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages — reactive:ai-security-nexus
  125. [125] TeamPCP Targets Telnyx Package in Latest Software Supply Chain Attack - Infosecurity Magazine — reactive:ai-security-nexus
  126. [126] Mistral AI among npm, PyPI packages hit by Mini Shai Hulud — reactive:ai-security-nexus
  127. [127] NVD - CVE-2026-33634 — reactive:ai-security-nexus
  128. [128] LiteLLM Supply Chain Attack: What Happened and How to Respond — reactive:ai-security-nexus
  129. [129] Trivy and LiteLLM Supply Chain Incident (CVE-2026-33634) Update — reactive:ai-security-nexus
  130. [130] Security Update: Suspected Supply Chain Incident | liteLLM — reactive:ai-security-nexus
  131. [131] CVE-2026-33634 - CVE Record — reactive:ai-security-nexus
  132. [132] Endor Patches | CVE-2026-33634, Trivy ecosystem supply chain was briefly compromised — reactive:ai-security-nexus
  133. [133] Trivy ecosystem supply chain was briefly compromised | GitLab Advisory Database (GLAD) — reactive:ai-security-nexus
  134. [134] Trivy ecosystem supply chain temporarily compromised · Advisory · aquasecurity/trivy · GitHub — reactive:ai-security-nexus
  135. [135] Mini Shai-Hulud Targets SAP npm Packages - Upwind Security — reactive:ai-security-nexus