THE SecurityWeek article reports that the hacking group TeamPCP has released the source code of its Shai-Hulud worm, inviting miscreants to use it in supply chain attacks and offering monetary rewards. The code was posted to GitHub repositories under several users, which were later removed, with multiple forks appearing in the wake of the leak.
Datadog’s analysis described a modular framework within the source, including loaders, secrets-harvesting modules, an information collector, a dispatcher, exfiltrators and mutators, along with persistence and dead-man switch mechanisms.
The release also exposed earlier Shai-Hulud attack indicators, such as targeting developer and cloud credentials, API keys and tokens, and demonstrated exfiltration to GitHub repositories and a predefined C&C server; it highlighted that compiled artifact hashes cannot be reproduced because each build uses a new random passphrase to seed string encoding, an anti-signature measure. According to Ox Security, threat actors have already started modifying the source code for new attacks.
Security researchers emphasised that the open sourcing and the BreachForums contest could trigger a sustained spike in supply chain compromise activity, with guidance to isolate affected systems and tighten build pipelines.