The Worm Code Is Free
On May 12, 2026, TeamPCP published the source code for Mini Shai-Hulud — a stripped-down, functional implementation of the self-propagating supply chain worm that has been targeting npm and PyPI since September 2025. The repository includes the worm's core mechanism: steal a maintainer's npm or GitHub token, republish trojanized versions of their packages, and use the stolen credentials to infect the next namespace automatically.
Within 20 days, the first variant appeared. Miasma — built directly on the Mini Shai-Hulud codebase — compromised 32 Red Hat npm packages, spread to 57 more with 647,000 monthly downloads, and forced Microsoft to disable 73 Azure GitHub repositories. The open-sourcing of worm code did exactly what security researchers feared: it democratized supply chain attacks.
What the Source Code Contains
Mini Shai-Hulud is not a proof of concept. It is a production worm with four capabilities: credential harvesting (npm tokens, GitHub tokens, cloud API keys from environment variables and CI/CD secrets), self-propagation (using stolen credentials to republish trojanized packages under the victim's identity), scanner evasion (obfuscation, lifecycle hook abuse, binding.gyp exploitation), and multi-ecosystem targeting (npm preinstall hooks, PyPI import-time execution, build.rs scripts for Crates.io).
The release follows the Shai-Hulud family's evolution through 2026: the original worm (September 2025), the Hades variant (April 2026, with prompt injection to confuse AI security scanners), and now the open-source Mini variant. Each generation is more accessible to less sophisticated attackers.
The npm Trust Model Is Broken
The Shai-Hulud worm family exploits a fundamental property of npm: packages are published under namespace trust. When you install @redhat-cloud-services/frontend-components, you trust that Red Hat published it. If an attacker steals Red Hat's npm token and publishes a trojanized version, npm distributes it under the same trusted namespace. The package signature is valid. The provenance is forged. The trust chain is broken.
SLSA provenance — the gold standard for supply chain integrity — was forged by the Miasma variant. The worm used stolen OIDC tokens to generate valid provenance attestations for trojanized packages. WebPulse documented this in detail: the attestation said 'built by Red Hat CI,' but the code was built by the worm. When the trust infrastructure itself can be weaponized, the trust model needs architectural rethinking.
Framework Exposure by Supply Chain Depth
WebPulse's supply chain scoring dimension measures exactly this exposure. Frameworks with deep npm dependency trees — Next.js (200+ transitive dependencies), Angular (150+), Nuxt (180+) — have proportionally more exposure to self-propagating worms. Each dependency is a potential entry point. Each maintainer's credentials are a potential propagation vector.
Frameworks with shallow or no npm dependency trees — Hugo (single Go binary, zero npm), Astro (minimal dependencies with lockfile integrity), Eleventy (lightweight tree) — have proportionally less exposure. The worm cannot propagate through a supply chain that does not exist. With Shai-Hulud's source code now public, this architectural difference is no longer theoretical — it is the primary determinant of organizational supply chain risk.
