Between late 2025 and June 2026, TeamPCP ran the most methodically engineered software supply chain campaign on record. Not the noisiest — the most methodical. Across npm, PyPI, GitHub Actions, Docker Hub, and IDE integrations, they refined a single operational insight: the entire DevSecOps toolchain, from lifecycle hooks to OIDC signing to AI coding assistants, can be turned against the developer running it. Zero CVEs were assigned across any wave. Every standard check passed. Packages were signed. Provenance was verifiable. The code was malicious.
This talk is a two-year technical autopsy.
It covers three campaign generations. First, Shai-Hulud V1/V2 — the proof-of-concept npm worm that hit ~700 malicious package versions, 25,000+ attacker-abused GitHub repositories, and 37 organizations in under 24 hours. Then Mini Shai-Hulud and the OIDC pivot — packages published with cryptographically valid Sigstore provenance, with TanStack, Mistral AI, Bitwarden CLI, OpenSearch, and Guardrails AI all hit in the same wave. Then Miasma, released open-source in June 2026: it targets 13 AI coding assistants including Claude Code, Copilot, Gemini CLI, Cursor, and Amazon Q, injects persistence into SessionStart hooks that survive tool reinstallation, and uses prompt injection via instruction files to execute payloads silently. The AI isn't compromised. It's following its own config.
The session traces how TeamPCP's tradecraft changed across waves. Early campaigns used postinstall hooks and GitHub token abuse. Later waves introduced operational polymorphism — filenames, execution engines, and exfiltration channels rotate with each release while the kill chain structure stays constant. That distinction is what makes hash-based detection useless and behavioral detection mandatory. The Mini Shai-Hulud wave showed that OIDC Trusted Publisher configurations can be abused to produce Sigstore-verified provenance for backdoored packages. npm audit signatures returns PASS. SAST returns clean. CVE database: nothing. Miasma went further still — GitHub's public commit search API doubles as a command-and-control channel, no dedicated infrastructure needed.
The technical anatomy section covers polymorphic loaders, credential harvesting depth, four-level exfiltration fallback, GitHub Actions impersonation, the DEADMAN_SWITCH extortion mechanism, and the --ignore-scripts bypass. Then detection and defense — not generic hardening advice, but SIEM queries derived from hardcoded strings in the malware, and controls mapped to specific code locations with implementation effort measured honestly.
The analysis used Phoenix Purple, an AI-powered code intelligence layer that built a semantic graph of the Miasma codebase (14,027 nodes, 17,530 edges) and traced the full kill chain across 60+ source files. The methodology section covers what agentic code analysis adds to malware research — and where it still falls short.
Attendees leave with: a working taxonomy of supply chain techniques that CVE tooling structurally cannot see, SIEM detection rules grounded in campaign source code, and a prioritized hardening checklist verified against the malware.