Shai-Hulud: The First AI Agent Supply Chain Worm — What Happened and What It Means for Enterprise Security

See also (wiki): ai-cybersecurity · mcp-enterprise-security-ciso-2026 · assume-breach-ai-agents · third-party-vendor-ai-risk

Source credibility: CVE-2026-45321 (NVD CVSS 9.6 Critical), CSA Research Note (April 2026), The Hacker News reporting, Datadog Security Labs analysis, Palo Alto Unit42. OpenAI confirmed exposure. TIER 1 for the core CVE and confirmed attack chain; TIER 2 for downstream impact estimates. No vendor-commissioned content.

Executive Summary

• Shai-Hulud is a self-replicating supply chain worm (CVE-2026-45321, CVSS 9.6) discovered May 2026, deployed by threat actor TeamPCP. It is the first documented attack to weaponize AI coding agents — specifically Claude Code and VS Code — as persistence vectors.
• Attack chain: GitHub OIDC token hijacking → Actions cache poisoning → malicious npm tarballs with valid SLSA provenance. Over 170 npm/PyPI packages compromised across TanStack, Mistral AI, UiPath, OpenSearch, Guardrails AI, and SAP ecosystems. >518 million cumulative downloads affected.
• The malware specifically targets AI agent configurations: steals .claude/settings.json, harvests MCP server auth tokens, extracts LLM API keys (OpenAI, Anthropic, Google, Groq, Mistral, Cohere), and writes persistence hooks into Claude Code’s SessionStart config so it re-executes every time a developer opens a project — even after the npm package is removed.
• TeamPCP open-sourced the full Shai-Hulud toolkit to GitHub, democratizing the attack. Any threat actor can now deploy it. A variant called SANDWORM_MODE targets LLM API keys specifically.
• OpenAI confirmed exposure. No Fortune 500 named-customer breach disclosures as of May 2026.

Why This Attack Is Structurally New

Previous supply chain attacks (SolarWinds, XZ Utils, 3CX) targeted build pipelines to deliver malicious code into downstream software. Shai-Hulud does something different: it uses the AI coding agent as a confused deputy.

The CSA Research Note (April 2026) frames it precisely: “The AI assistant is the confused deputy: it is trusted by the user to assist with development tasks, but malicious tool descriptions redirect its capability toward credential exfiltration without the user’s knowledge or consent.”

The attack exploits three AI-specific properties:

1. Tool trust: Coding agents execute tool calls from the environment without per-call user confirmation — the agent trusts the tool description, not the user’s intent.
2. MCP token access: Agents with MCP server connections hold auth tokens for external services (GitHub, Slack, cloud providers). Malware that reaches agent config can harvest these without triggering user-visible alerts.
3. Persistence via agent hooks: Writing to SessionStart config survives npm package removal — the persistence mechanism lives in agent infrastructure, not the package registry.

Attack Chain Detail

Phase 1 — Initial Access GitHub OIDC token hijacking in a CI/CD workflow. The attacker exploits overly permissive permissions: write-all in GitHub Actions configuration — a common misconfiguration in open-source projects.

Phase 2 — Lateral Movement GitHub Actions cache poisoning. The compromised CI job writes malicious artifacts to the Actions cache, which is shared across workflow runs and branches. Valid SLSA (Supply-chain Levels for Software Artifacts) provenance is generated for the malicious tarballs — bypassing signature-based integrity checks.

Phase 3 — Distribution Malicious npm/PyPI packages published under compromised package maintainer accounts. 170+ packages across: TanStack, Mistral AI Python SDK, UiPath, OpenSearch, Guardrails AI, SAP libraries. 518M+ cumulative downloads represent the blast radius of pre-compromise package adoption.

Phase 4 — Payload Execution router_init.js (2.3 MB obfuscated JavaScript) contains 10 credential-collection classes:

• Steals Claude Code agent config (.claude/settings.json)
• Steals VS Code task definitions (.vscode/tasks.json)
• Harvests MCP server authentication tokens
• Extracts LLM API keys: OpenAI, Anthropic, Google, Groq, Mistral, Cohere
• Extracts cloud credentials: GitHub tokens, AWS credentials, Kubernetes configs

Phase 5 — Persistence Writes hooks to Claude Code SessionStart configuration. The malware re-executes every time a developer opens any project in Claude Code — the persistence mechanism survives npm package removal, registry cleanup, and even full dependency reinstallation if the agent config is not explicitly audited.

Key Data Points

What the Shai-Hulud Framework Open-Source Means

TeamPCP leaking the full toolkit is not a mistake — it is a threat actor strategy. Once the framework is public:

• Any ransomware group, nation-state operator, or script-kiddie can deploy it.
• Defenders cannot rely on attribution or TTP (tactic, technique, procedure) obscurity.
• The SANDWORM_MODE variant, which focuses exclusively on LLM API key harvesting, is particularly accessible — it requires no prior supply chain compromise infrastructure, only a poisoned package.

The practical implication: Shai-Hulud is now a commodity attack technique, not an advanced persistent threat. The timeline for enterprise exposure shortens from “advanced adversaries” to “opportunistic actors.”

Immediate Mitigation Priorities

For security teams (week 1):

1. Audit Claude Code and VS Code agent configurations for unauthorized SessionStart hooks.
2. Rotate all LLM API keys (OpenAI, Anthropic, Google, Groq, Mistral, Cohere) for any developer who has installed packages from affected ecosystems since January 2026.
3. Audit MCP server token inventory — identify which tokens are stored in agent config files vs. secure credential stores.
4. Check GitHub Actions workflows for permissions: write-all and cache sharing configurations.

For platform teams (month 1):

1. Implement MCP token storage in secrets managers (AWS Secrets Manager, HashiCorp Vault), not in agent config files on disk.
2. Add SBOM/dependency scanning for AI SDK packages — TanStack, Mistral Python SDK, Guardrails AI, UiPath are now flagged ecosystems.
3. Implement AI agent audit logging that captures tool calls, not just user prompts.
4. Establish agent config file change monitoring (.claude/, .vscode/) as a detection signal.

For procurement/legal (quarter 1):

1. Require AI coding tool vendors (Anthropic, GitHub, Cursor) to disclose their agent hook architecture and persistence mechanism controls.
2. Add AI supply chain security attestation to vendor security questionnaires.
3. Review cyber insurance policy language for AI agent credential compromise — most policies predate this attack class.

Relationship to MCP Security and AIBOM

Shai-Hulud exploits the same attack surface documented in mcp-enterprise-security-ciso-2026.md: MCP servers hold auth tokens that agents access without per-call user confirmation. The attack proves the theoretical risk documented in that file is now operational.

The AIBOM connection: if organizations maintained an AI Bill of Materials tracking which packages their AI coding environment depends on, the Shai-Hulud package list (TanStack, Mistral AI SDK, etc.) would have generated an automated alert when the malicious versions appeared. AIBOM adoption is currently voluntary and nascent — this attack is the first major case study for why it matters.

Sources