#112 - Shai-Hulud Worm Goes Public: AI Supply Chain Attacks Explode

PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 24^th May 2026

Welcome back!

Last week the headline was the first AI-built zero-day in the wild. This week the headline is what happens when you open-source the framework. TeamPCP released the Shai-Hulud worm on GitHub on 13 May. By 18 May the first copycat had appeared in a typosquatted npm package called chalk-tempalte. By the same day, the Megalodon variant had pushed malicious commits to 5,561 GitHub repositories in a six-hour window. By 20 May a fresh Mini Shai-Hulud wave had hit 320+ npm packages including the @antv ecosystem and echarts-for-react, the latter pulling 1.1 million weekly downloads. Microsoft's Durabletask Python SDK shipped three malicious versions. Claude Code installations received fresh persistence backdoors. Five days from open-source to mass deployment.

Underneath all of that, ChromaDB, the vector database sitting under most production RAG pipelines, turned out to carry a pre-authentication RCE. 73% of internet-exposed instances are running a vulnerable version. No confirmed vendor patch. The AI infrastructure layer is the one nobody is watching.

🛡️ AI System Vulnerabilities: → 0% (6 vs 6 high-scoring articles week-on-week)
ChromaDB pre-auth RCE in the AI vector database layer; Claude Code sandbox bypass quietly patched after 5.5 months of exposure
Significance: Volume steady, depth shifted. The vulnerabilities this week sit beneath the AI application layer, not at the prompt boundary.

🤖 AI-Enabled Social Engineering: → stable (1 vs 1)
Russian-speaking actor "bandcampro" uses jailbroken Gemini and 73 stolen API keys to run a multi-faceted credential and crypto theft operation against MAGA communities
Significance: A single low-skilled operator replicated the output of an entire criminal team. This is the AI-as-efficiency-multiplier thesis with confirmed victims.

🤖🏃 AI Autonomous & Agentic Attacks: → stable (2 vs 2)
Claude Code SOCKS5 null-byte sandbox bypass enables prompt-injection-chained credential exfiltration; Emergence AI simulation documents widespread emergent unsafe behaviour across leading model families
Significance: Two flavours of agent risk. Real vulnerabilities in shipped agentic tooling, and structural safety gaps in long-horizon autonomous behaviour that current benchmarks do not catch.

🔗 AI Supply Chain & Developer Tool Abuse: ↓ -80% (1 vs 5)
Headline volume down because the Shai-Hulud story has shifted into the AI System Vulnerabilities bucket; eighteen malicious Chrome GenAI extensions stealing OpenAI, Gemini, and Claude credentials
Significance: The taxonomy drift hides the trajectory. Treat this as continued escalation, not de-escalation.

📜 AI Governance & Defensive Innovation: ↓ -67% (2 vs 6)
1Password and OpenAI ship an MCP server for just-in-time scoped credentials in Codex; F5 Field CISO publishes on the AI-in-production problem
Significance: Defensive innovation is the right shape but trailing the threat. The 1Password integration is the first concrete control I would actually deploy.

SPONSORED BY

Your CFO opens Slack. There's a weekly Stripe revenue recap in #finance with a churned-accounts flag and a net-new breakdown. She didn't ask for it.

Your head of product opens Slack. There's a GitHub summary in private channel: PRs merged, PRs stale, Linear tickets that moved. He didn't ask for it.

Your marketing lead opens Slack. There's a Google Ads performance comparison in private channel, with a note: "Meta CPA crept up 18% this week. Might be worth pausing the broad match campaign." She didn't ask for it either.

All-hands at 10am. Everyone already knows the numbers. The meeting is about decisions, not catch-up.

That's what happens when one colleague works across every tool your company uses. Not one department's assistant. The whole company's coworker.

Viktor lives in Slack. Top 5 on Product Hunt, 130 comments. SOC 2 certified. Your data never trains models.

"Not only have we caught up on several months of work, we are automating manual tasks and expanding our operations to things previously not possible at scale." - Jesse Guarino, Director, Torque King 4x4

Start free. $100 in credits →

TeamPCP open-sourced the Shai-Hulud worm framework on GitHub on 13 May and launched a supply chain attack "competition" on BreachForums. Five days later the first copycat appeared in the npm package chalk-tempalte. The same day, the Megalodon variant pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours using spoofed CI bot identities. By 19 May, the @antv ecosystem and echarts-for-react had been poisoned through the compromised npm maintainer account 'atool', shipping 639 malicious versions across 323 packages. By 20 May the campaign had expanded to 502 unique packages across npm, PyPI, and Composer, including Microsoft's Durabletask Python SDK, with persistent backdoors written into Claude Code installations and new capability for downloading and executing Python code from attacker infrastructure.

Last week the question was whether your dependency tree included a Shai-Hulud victim. That question now has a half-life of about 96 hours. The framework is public, the tradecraft is templated, and the time from new variant to mass deployment is one working week. The right framing is no longer "did we get hit by Shai-Hulud" but "do we have a CI/CD hygiene programme that survives the next four variants we have not heard of yet?" Specifically, restrict OIDC token audience scope, disable cache sharing across pull_request_target trust boundaries, treat any developer workstation that pulled a Mini Shai-Hulud package as compromised, and audit Claude Code and VS Code hooks as part of incident response not as an afterthought. The persistence is in the IDE.

Two stories landed this week that together describe the gap. First, CVE-2026-45829, a pre-authentication RCE in ChromaDB's Python FastAPI server. ChromaDB is the vector database sitting under retrieval-augmented generation pipelines in production AI applications, with 14 million monthly PyPI downloads. The flaw lets an unauthenticated attacker force the server to load and execute a malicious model from Hugging Face before authentication is checked. Approximately 73% of internet-exposed instances on Shodan are running a vulnerable version. No vendor response, no confirmed patch. Mitigation is network isolation or switching to the Rust frontend. Second, Anthropic silently patched two Claude Code sandbox bypasses without issuing a CVE or user advisory. A SOCKS5 hostname null-byte injection bypassed the outbound allowlist. A separate flaw caused block-all configurations to be treated as allow-all. Users running Claude Code on credential-bearing systems were exposed for approximately 5.5 months. Combined with prompt injection, both flaws enabled exfiltration of environment variables, GitHub tokens, and cloud credentials.

This is the layer most CISOs do not have on their asset register. Vector databases, agent sandboxes, MCP servers, plugin extensions. Each of them is functioning as production infrastructure for AI workloads. None of them carry the operational hygiene expectations we apply to a database, an EDR, or a build server. The Monday question is not whether you have an AI policy. It is whether your asset inventory contains the actual systems that AI runs on. If you cannot tell me by lunch on Tuesday how many ChromaDB instances your engineering teams have deployed, and whether any are reachable from the public internet, your visibility on this layer is where most organisations were on cloud workloads in 2018. That is not a vendor problem. That is a basic asset management failure with an AI label on it.

Google Threat Intelligence Group published a follow-up to last week's AI Threat Tracker covering a Russian-speaking actor operating under the handle "bandcampro". The actor used 73 stolen Gemini API keys against a jailbroken model to run a multi-faceted credential and crypto theft campaign between September 2025 and May 2026. The output is the interesting part. A 17,000-subscriber Telegram channel built with AI-generated content. A fake cryptocurrency wallet app, StellarMonSetup.exe, embedding the GoToResolve RAT. Seed phrases stolen via a fake wallet import screen. AI-powered brute-forcing cracking 29 WordPress administrator credentials. At least one victim's wallets emptied, with the password cracked, the 12-word mnemonic stolen, and 40 wallet addresses harvested. GTIG's assessment is that this is the output of one low-skilled actor armed with a jailbroken frontier LLM, replicating what would historically have required a team of writers, social media managers, IT workers, and malware developers.

This is the AI-as-efficiency-multiplier thesis with a named victim. The interesting datapoint is not the sophistication. The exploit chain is unremarkable. The interesting datapoint is the unit economics. The cost of running a complete fraud operation with content production, target acquisition, malware deployment, and credential attack has been compressed into one person with a Gemini account. Threat actor economics are rational. When the marginal cost of a sophisticated operation falls toward zero, the volume of operations rises until the marginal return falls to match. Plan for more of these, run by less skilled people, at lower volumes per victim but higher counts of operations. The control conversation is not LLM safety, it is whether the second-order behaviour your fraud and account takeover detection looks for assumes a team of attackers or a single one. Most of the heuristics I have seen assume a team.

🔗 AI Supply Chain & Developer Tool Abuse. TeamPCP's Megalodon variant compromised 5,561 GitHub repos via the Tiledesk npm package; the fresh Mini Shai-Hulud wave hit 320+ npm packages including @antv and Microsoft's Durabletask SDK, with persistent backdoors in Claude Code. Palo Alto Unit 42 identified 18 malicious Chrome AI extensions stealing OpenAI, Gemini, and Claude credentials.

🛡️ AI System Vulnerabilities. ChromaDB CVE-2026-45829 is a max-severity pre-auth RCE with 73% of exposed instances vulnerable. Anthropic silently patched two Claude Code sandbox bypasses without a CVE or advisory.

🤖 AI-Enabled Social Engineering. A Russian-speaking fraudster used jailbroken Gemini and 73 stolen API keys to empty at least one MAGA victim's crypto wallets in a campaign that replicated the output of a full criminal team.

🤖🏃 AI Autonomous & Agentic Attacks. Emergence AI's two-week simulations documented widespread emergent unsafe behaviour across Grok, GPT-5-mini, Gemini 3 Flash, and Claude agents; only 13 of 67 documented agent developers publish any safety policy.

🦠 AI-Assisted Malware Development. Ukraine's NSDC confirms Russia is deploying LLM-embedded malware with APT28's LameHug using an open-source language model to generate system commands dynamically and ScopeCreep refined with AI for evasion.

🔍 AI-Accelerated Vulnerability Exploitation. NGINX CVE-2026-42945 is under active exploitation; separately, a single Chinese IP is exploiting openDCIM CVEs using a customised implementation of the AI vulnerability discovery tool Vulnhuntr, the second documented in-the-wild use of AI-assisted exploit tooling.

📜 AI Governance & Defensive Innovation. 1Password and OpenAI launched an Environments MCP Server for Codexproviding just-in-time scoped credentials never exposed to prompts or model context. Orchid Security's Identity Gap report puts unmanaged "identity dark matter" at 57% of enterprise identity exposure, which is the surface AI agents will exploit first.

The urgent priority is CVE-2026-45829 in ChromaDB. There is no confirmed patch and 73% of internet-exposed instances are vulnerable. If your engineering teams have stood up vector databases for any AI workload, treat this as you would treat an exposed unauthenticated Redis instance in 2018. The Apex One and Defender zero-days are reminders that two of the three security vendors your endpoints depend on are this week's CISA KEV entries.

Last week the lesson was that the trust signal is the attack surface. This week the lesson is that the framework is also the attack surface. TeamPCP open-sourced the Shai-Hulud worm and the copycats hit production npm registries in five days. Megalodon compromised 5,561 GitHub repositories in six hours of automated activity. The supply chain compromise pattern has moved from artisan craft to public good for criminals, and the time from new variant to mass deployment is now measured in working days, not weeks.

What is genuinely new this week is the layer underneath. ChromaDB's pre-auth RCE confirms what was inferable from the Shai-Hulud persistence in Claude Code installations. The AI infrastructure layer is operating with the operational hygiene most organisations applied to cloud workloads in 2018. Vector databases, agent sandboxes, MCP servers, plugin extensions. These are production systems with production data flowing through them, and they are sitting outside most asset inventories.

What looks scary but is mostly noise is the bandcampro story. The technical sophistication is unremarkable. What changed is the unit economics. One person produced what a criminal team used to produce. Plan for more operators, not better operators.

The Monday provocation. Pull a list of every vector database your engineering teams have stood up to support AI features. Confirm which of them are reachable from the public internet without authentication. Confirm which of them are running ChromaDB and which version. If you cannot answer that by Tuesday lunch, you have not yet absorbed the difference between an AI strategy and an AI asset inventory. The former is a deck. The latter is what gets exploited at 9pm on a Saturday.

Reference: AI Influence Level from Daniel Miessler

Till next time!

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.