TeamPCP Leaked the Shai-Hulud Source. Within a Week, a Copycat Pushed Clones to npm.

A single npm user account pushed four malicious packages — including a near-verbatim clone of the Shai-Hulud worm — within a week of TeamPCP open-sourcing the worm source on BreachForums. The clone uses the attacker's own command-and-control endpoint and private key but is otherwise lifted "almost without any change at all," per OX Security. The four packages, totaling roughly 3,006 downloads before takedown, include a credentials stealer and a Golang Phantom Bot DDoS loader. Mini Shai-Hulud has graduated from a TeamPCP campaign to an ecosystem capability.

TEL AVIV, ISRAEL — On May 17 and 18, 2026, researchers at OX Security and other npm-focused supply chain teams documented the first copycat campaign weaponizing the Shai-Hulud worm code that TeamPCP open-sourced on BreachForums roughly one week earlier as part of a self-described "supply chain attack competition." A single npm user account, registered as deadcode09284814, published four malicious packages that together accumulated approximately 3,006 downloads before the npm registry removed them. The lineup included chalk-tempalte, a near-verbatim clone of the Shai-Hulud worm with the attacker's own command-and-control infrastructure and private key swapped in (825 downloads); @deadcode09284814/axios-util, a credentials stealer (284 downloads); axois-utils, a Golang Phantom Bot DDoS loader supporting HTTP, TCP, and UDP floods (963 downloads); and color-style-utils, a second credentials stealer that harvests SSH keys, environment variables, cloud credentials, system metadata, IP addresses, and cryptocurrency wallet data (934 downloads). OX Security characterized the worm clone as lifted "almost without any change at all" from the public TeamPCP release.

What Happened

The TeamPCP Source Release

TeamPCP, the operator collective behind the original Shai-Hulud worm campaign and the subsequent Mini Shai-Hulud follow-on, posted the worm's source code to BreachForums roughly one week before the copycat campaign surfaced. The release was framed as a "supply chain attack competition" — an open invitation for other actors to fork, modify, and deploy. Within days, that invitation produced its first documented uptake. The release also reset the operational economics of npm-targeted worms: the cost of building one had been the engineering work TeamPCP had already done, and that cost just collapsed to zero.

The Copycat Account

The new actor operates as a single npm user, deadcode09284814 — lowercase, with no known prior tradecraft and no operator overlap with TeamPCP. Across roughly 24 to 48 hours, the account published four malicious packages targeting different layers of the supply chain attack stack: a worm clone, two credentials stealers, and a Phantom Bot DDoS loader written in Golang. The package names rely on classic typosquats — chalk-tempalte for chalk-template, axois-utils for axios-utils — to pick up developers who fat-finger an install or whose AI coding assistants hallucinate a similar-looking dependency.

The Worm Clone

chalk-tempalte is the headline package. OX Security's analysis found the code was lifted from TeamPCP's release "almost without any change at all," with only the command-and-control endpoint and the private key swapped to the copycat's own infrastructure. That is the floor on tradecraft: the actor did not engineer their own worm, did not modify the propagation logic, did not refactor the credential theft routines. They forked, re-keyed, and republished. The Phantom Bot loader and the two stealers are independent builds — but the worm itself is a near-verbatim derivative work.

Scope and Impact

Three thousand downloads is small for an npm campaign, but the metric that matters here is not raw distribution — it is precedent. A single actor with no demonstrated worm-engineering capability published a working Shai-Hulud derivative within days of the source code becoming public. Every actor with an npm account and a copy of the BreachForums archive can now do the same. The two credential-stealing packages and the Phantom Bot loader expand the kit beyond the worm itself: the copycat is publishing an integrated supply chain attack stack, not a single payload. That stack — worm, stealer, DDoS bot — covers infection, monetization, and follow-on capability from one account.

The broader pattern is the one CyberSignal has been tracking across the spring 2026 cycle. The Mini Shai-Hulud campaign hit TanStack, Mistral, and 170 npm packages before forcing OpenAI into a code-signing certificate rotation and culminated in TeamPCP's $25,000 Mistral source-code auction. The npm registry has also absorbed the node-ipc stealer backdoor targeting developer secrets inside the same six-week window, while RubyGems suspended new signups in response to a parallel attack wave on its own registry. The copycat clones are not a one-off — they are the predictable downstream of a worm whose source is now in the wild.

Response and Attribution

npm removed all four packages following coordinated reports from OX Security and follow-on researchers. The registry's response window — measured in hours, not days — is the operational baseline at this point. There has been no attribution beyond the deadcode09284814 handle itself; the account has no documented prior activity, no overlap with TeamPCP operator infrastructure, and the C2 and private key embedded in chalk-tempalte are different from TeamPCP's. OX Security's read, and the one the corroborating outlets accept, is that this is a distinct actor reusing TeamPCP's code rather than a TeamPCP affiliate.

For defenders, the immediate work is twofold. First, audit any pull-through registries, internal mirrors, and lockfiles for the four package names — chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils — and rotate any credentials that touched a machine where they were installed. Second, expect more. The TeamPCP source release is now an ecosystem capability, and the cost to fork it just dropped to a few hours of work for any actor willing to operate an npm account.

The CyberSignal Analysis

Signal 01 — The Worm Source Is Now an Ecosystem Capability

When TeamPCP posted Shai-Hulud's source on BreachForums, the operational economics of npm worm authorship reset to near-zero. The copycat proves the new floor: an actor with no demonstrated worm-engineering capability can publish a working derivative inside a week. That is qualitatively different from where the registry was four weeks ago. The defensive implication is that npm — and by extension the rest of the open-source supply chain — should expect a sustained tail of low-tradecraft Shai-Hulud forks for months, not a single follow-on event. The TeamPCP Mistral auction demonstrated the operator collective could monetize the worm directly; the source release demonstrates they're willing to commoditize it as well. Both threat models are now live simultaneously.

Signal 02 — Typosquats Have Outlived Every Mitigation We've Tried

Three of the four malicious packages — chalk-tempalte, axois-utils, and the namespaced @deadcode09284814/axios-util — rely on classic typosquatting and namespace-confusion patterns that have been a known attack vector for nearly a decade. The capability gap is not technical — npm has tooling for similar-name detection, and SLSA-style provenance frameworks exist — it is the gap between what is deployed at registry scale and what individual projects enforce in their dependency pipelines. The node-ipc stealer campaign and the RubyGems signup suspension both reinforce the same point: the registry-level controls available today are not catching the volume of malicious uploads, and downstream consumers cannot rely on them as the primary defense.

Signal 03 — Phantom Bot in npm Is a New Pivot

axois-utils is the most operationally interesting of the four packages, because it is not a worm and not a stealer — it is a Golang-built DDoS loader. That tells defenders something specific about how this actor and the next ones think about npm. The registry is no longer just a credential-harvesting and self-propagation channel; it is also a delivery vector for follow-on attack capability that has nothing to do with the developer who installed the package. A CI/CD runner or developer workstation infected by axois-utils becomes part of a botnet aimed at someone else entirely. That is the same model that powered PCPJack's evolution from credential theft to multi-stage cloud worming — npm is being treated as a generic foothold, and the next wave of copycats is likely to bring more loader variety, not less.

Sources