TeamPCP, DeadCat, Supply Chain Attack, Jenkins, Checkmarx, npm, TanStack, Mini Shai-Hulud, CI/CD Compromise, OIDC Hijacking
Source Material: Checkmarx Security Advisory; TanStack Postmortem | Technology: Jenkins (CI/CD); npm Ecosystem; GitHub Actions; OIDC | Targeted Industries: Technology; Software Development; AI Research; Financial Services
Executive Summary
On May 11, 2026, the threat actor known as TeamPCP (associated with the DeadCat persona) escalated a months-long supply chain campaign by compromising the official Checkmarx Jenkins AST Plugin and launching a self-propagating “npm worm” through the TanStack ecosystem. This update tracks an evolution in the threat actor’s methodology: the transition from infrastructure reconnaissance to the active poisoning of software artifacts carrying authenticated release signatures.
The campaign utilized the Mini Shai-Hulud worm to compromise over 170 packages across the npm ecosystem, including the @tanstack namespace, enterprise automation tooling from UiPath, and the official OpenSearch JavaScript client (which averages over 1.3 million weekly downloads). Furthermore, the campaign has successfully crossed into the Python Package Index (PyPI), compromising official AI SDKs such as mistralai and guardrails-ai. Notably, the malicious updates in the npm ecosystem carried valid SLSA Build Level 3 provenance. The attacker successfully hijacked ephemeral OpenID Connect (OIDC) tokens within legitimate GitHub Actions release pipelines, allowing the malware to appear as a “verified” build and bypassing traditional automated supply chain security gates.
Simultaneously, a backdoor was identified in version 2026.5.09 of the Checkmarx Jenkins AST Plugin. This backdoor targets Jenkins credential stores to harvest cloud environment secrets and downstream deployment keys. Deepwatch recommends immediate rotation of all OIDC trust relationships and CI/CD secrets for organizations utilizing Jenkins or TanStack frameworks.
Threat Overview and Strategic Impact
The current activity represents an evolution of the TeamPCP campaign initially identified in March 2026. Transitioning from infrastructure reconnaissance, the threat actor is now actively compromising SLSA (Supply-chain Levels for Software Artifacts) provenance. By successfully hijacking ephemeral OpenID Connect (OIDC) tokens during the build process, TeamPCP injected malicious code into the @tanstack/router ecosystem while maintaining a valid cryptographic signature from the GitHub Actions runner.
According to TanStack and StepSecurity analyses, the SLSA bypass relied on a specific three-step vulnerability chain. First, TeamPCP triggered a pull_request_target workflow using a malicious fork to exploit a “Pwn Request” vulnerability. Second, this execution poisoned the GitHub Actions cache across the fork-to-base trust boundary. Finally, when the legitimate release workflow ran, it restored the poisoned cache. This allowed attacker-controlled binaries to scrape the runner’s process memory (/proc/<pid>/maps and /mem) to extract the OIDC token before the legitimate publish step occurred.
Further analysis by Endor Labs revealed the precise mechanism used to trigger these malicious builds: an “orphaned commit.” The attacker pushed a detached commit (with no parent history) to a malicious fork of the target repository. Due to the fact that GitHub stores objects in shared storage across a repository and its forks, this commit was reachable via the upstream repository. This allowed the attacker to trigger a legitimate GitHub Actions workflow on the base repository while completely bypassing branch protection rules, ultimately minting a valid publish token.
Additionally, the campaign’s expansion into PyPI introduces a dangerous new execution vector. According to SafeDep, rather than relying on installation hooks (preinstall), the PyPI malware injects a dropper directly into the package’s __init__.py file. This means the payload triggers upon import rather than pip install, allowing it to bypass sandboxed installation environments entirely.
Alongside the TanStack compromise, TeamPCP demonstrated persistent access to Checkmarx infrastructure by backdooring the Jenkins AST Plugin (v2026.5.09). This secondary payload specifically targets the harvesting of Jenkins credential stores.
The malware associated with these campaigns heavily utilizes decentralized and encrypted exfiltration channels. The TanStack payload routes stolen secrets over the Session/Oxen decentralized P2P messenger network, rendering traditional IP-based blocking ineffective. Similarly, persistence mechanisms are established through developer IDEs (modifying .vscode and .claude configuration directories) and a local gh-token-monitor service acting as a dead-man’s switch.
Security Hardening and Recommendations
Deepwatch recommends a prioritized approach to remediation, focusing on stopping propagation and secure secret rotation.
1. Immediate Package and Plugin Remediation
- Jenkins: Immediately uninstall Checkmarx Jenkins AST Plugin version 2026.5.09. Upgrade to the verified patched version 2.0.13-848.v76e89de8a_053 or later.
- TanStack: Audit all projects for @tanstack dependencies. Force-update to the latest versions released after May 11, 18:00 UTC, which have been republished with clean provenance.
- NPM Audit: Run npm audit specifically looking for the “Mini Shai-Hulud” signature in lockfiles (specifically checking for unauthorized preinstall or postinstall scripts in the node_modules directory).
2. Containment and Secret Rotation
- CRITICAL WARNING: Do not blindly revoke NPM or GitHub tokens! The attacker leaves a trap by creating an NPM token with the description
- IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner. Concurrently, the malware installs a system-level dead-man’s switch (gh-token-monitor) that actively polls GitHub APIs. If it detects that the stolen token has been revoked, it triggers a destructive wipe routine (rm -rf ~/) on the compromised host.
- Step A: Isolate affected hosts and disable the gh-token-monitor local service on any affected Linux/macOS developer endpoints before rotating any credentials.
- Step B: Rotate all GitHub and NPM OIDC trust configurations.
- Step C: Only after confirming local persistence mechanisms are neutralized, revoke all existing NPM access tokens and GitHub Personal Access Tokens (PATs) that had “write” or “workflow” permissions.
3. DevSecOps Hardening
- Implement Pinning: Transition from using “latest” or version ranges in CI/CD pipelines to using full SHA-256 commit hashes for all GitHub Actions and third-party plugins.
- Secrets Scanning: Deploy TruffleHog or GitHub Secret Scanning specifically to detect the presence of “kralizec-navigator” or “spice-extraction” patterns in CI logs, which are indicative of TeamPCP data staging.
- Audit CI/CD Triggers: Immediately audit all GitHub Actions workflows utilizing the pull_request_target trigger. Ensure these workflows do not check out and execute untrusted fork code alongside base-repository cache writes
- Purge Poisoned Caches: For repositories utilizing TanStack or those that have vulnerable pull_request_target configurations, immediately purge all GitHub Actions caches to remove potentially lingering poisoned entries.
- Implement DNS-Level Blocking: Because the Shai-Hulud worm exfiltrates via a decentralized P2P network, IP blocking is ineffective. Implement strict DNS-level blocking for *.getsession.org to prevent data exfiltration.
Detection Strategy
Standard signature-based detection is insufficient against attackers leveraging legitimate tools (npm, GitHub Actions) and decentralized networks (Session/Oxen), the detection strategy for this campaign requires a defense-in-depth approach focused on post-exploitation behaviors and CI/CD pipeline anomalies. Defenders must actively monitor for behavioral anomalies such as unexpected child processes spawned by package managers (e.g., bun or node spawning python3 to read /proc/*/mem), unauthorized npm publish events, and API calls querying npm for tokens with bypass_2fa enabled. Additionally, detection efforts should target unauthorized network egress from build runners, unexpected modifications to hidden IDE configuration directories (e.g., .vscode, .claude) on developer workstations, and anomalous OIDC token usage originating from unexpected infrastructure.
How Deepwatch Protects Our Customers
Deepwatch Adversary Tactics and Intelligence (ATI) is actively tracking the TeamPCP campaign and continuously updating our Threat Intelligence Platform with newly observed indicators and TTPs. Our Security Operations Center (SOC) is continuously monitoring customer environments for the network and endpoint behaviors associated with this supply chain compromise. Deepwatch applies curated threat intelligence to our detection and alerting strategy, ensuring that our analytics can identify anomalous OIDC usage, suspicious payload executions from package managers, and unauthorized data exfiltration attempts. Our Threat Hunters periodically conduct proactive sweeps across customer environments to identify suspicious activity.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
Threat Hunting efforts should focus on identifying traces of the payload or persistence mechanisms that may have evaded initial detection.
- File System Sweeps: Hunt across developer workstations and CI/CD nodes for the presence of the router_init.js payload or the gh-token-monitor.sh /
- gh-token-monitor.service files. Look for unauthorized setup.mjs shim files injected into .vscode or .claude directories.
- Network Sweeps: Query DNS logs for resolutions to filev2.getsession.org, api.masscan.cloud, and git-tanstack.com.
- Log Analysis: Search CI/CD build logs for unauthorized execution of pull_request_target workflows running fork-controlled code, or unexpected HTTP 40x errors related to token revocation events that precede bulk file deletion activities.
- Code Repository Audits: Search internal repositories for unexpected commits containing the string OhNoWhatsGoingOnWithGitHub, or commits authored by [email protected] pushing code to branches utilizing the dependabout/ naming convention.
Technical Artifacts
Please visit Security Center to access the associated technical artifacts.
Threat Object Mapping
Intrusion Set:
- TeamPCP (also tracked as DeadCat, DeadCatx3, PCPcat, ShellForce, CipherForce)
Attack Pattern (MITRE ATT&CK):
| Technique ID Technique Name | Context / Usage | |
| T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain | Primary attack vector utilized to compromise the Checkmarx Jenkins AST Plugin and TanStack npm packages. |
| T1528 | Steal Application Access Token | OIDC Token Hijacking via process memory scrapingon GitHub Action runners to authorize malicious npm publishes. |
| T1552.001 | Unsecured Credentials: Credentials In Files | Systematic harvesting of developer secrets and tokens from local .npmrc and .git-credentials files. |
| T1552.004 | Unsecured Credentials: Private Keys | Harvesting developer SSH keys from compromised environments. |
| T1552.005 | Unsecured Credentials: Cloud Instance Metadata API | Exploitation of AWS IMDSv2 to extract cloud instance identity credentials. |
| T1053.005 | Scheduled Task/Job: Scheduled Task | Establishing persistent access via the gh-token-monitor service (dead-man’s switch) on Linux and macOS environments. |
| T1562.001 | Impair Defenses: Disable or Modify Tools | GitHub Actions cache poisoning across the fork-to-base repository trust boundary. |
| T1048.002 | Exfiltration Over Alternative Protocol | C2 communications and data exfiltration routed over the decentralized Session/Oxen P2P network and GitHub GraphQL dead-drop commits. | T1199 | Trusted Relationship | Exploitation of the trust boundary between a malicious fork and the upstream base repository(via orphaned commits) to bypass branch protections and execute unauthorized GitHub Actions workflows. |
| T1548 | Abuse Elevation Control Mechanism | Bypassing repository branch protection rules to exploit overly broad OIDC trust configurations, allowing the attacker to mint valid npm publish tokens. |
Vulnerabilities:
- CVE-2026-45321: TanStack npm Packages Compromised (GHSA-g7cv-rxg3-hmpx)
Malware/Tool:
- Mini Shai-Hulud: A self-propagating npm worm capable of harvesting secrets, bypassing SLSA provenance via OIDC hijacking, and establishing persistent backdoors via developer IDE configurations.
- Checkmarx Jenkins AST Backdoor: A customized, “Dune-themed” credential harvesting payload injected into version 2026.5.09 of the official Jenkins AST Plugin, designed to steal Jenkins credential stores.
Additional Sources
- Snyk: TanStack npm Packages Hit by Mini Shai-Hulud
- The Hacker News: TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack
- SOCRadar: Checkmarx Jenkins Plugin Backdoored in New TeamPCP Supply Chain Attack
- StepSecurity: TeamPCP’s Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages
- Endor Labs: Shai-Hulud compromises the @tanstack ecosystem: 160+ packages compromised
- SafeDep: Mass Supply Chain Attack Hits TanStack, Mistral AI npm and PyPI Packages
- Socket: TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack
- Aikido: Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack
Share