Protos Labs
Protos Labs is a cybersecurity research firm that documented UNC6780 Shai-Hulud 3.0, the Megalodon copycat campaign, and the Phantom Gyp binding.gyp evasion technique.
Last refreshed: 14 June 2026 · Appears in 1 active topic
How did Protos Labs identify the SLSA attestation bypass before major package registries responded?
Timeline for Protos Labs
Mentioned in: Attack worm kit now open-sourced freely
Cybersecurity: Threats and Defences- What did Protos Labs discover about Shai-Hulud and npm supply-chain attacks?
- Protos Labs documented the Shai-Hulud 3.0 framework release, the Megalodon campaign that poisoned 5,561 GitHub Actions repositories, and the Phantom Gyp variant that evades hook monitors via the binding.gyp native-build step.Source: Protos Labs
- Who is Protos Labs in cybersecurity?
- Protos Labs is a cybersecurity research firm focused on software supply-chain threat intelligence, known in 2026 for its analysis of the UNC6780 Shai-Hulud campaigns.
- What does it mean that SLSA-attested packages were found to be malicious?
- SLSA (Supply-chain Levels for Software Artefacts) attestations verify that a package was built from a specific source at a specific time. Protos Labs found that when the build pipeline itself is compromised, the attestation remains valid, meaning attestation alone cannot be trusted as proof of safety.Source: Protos Labs
Background
Protos Labs is a cybersecurity research firm whose threat intelligence unit tracked and published findings on the UNC6780/TeamPCP supply-chain campaign in mid-2026. The firm documented the Shai-Hulud 3.0 open-source release, the Megalodon copycat wave that poisoned 5,561 GitHub Actions repositories on 18 May, the Miasma variant, and the Phantom Gyp technique that emerged on 3 June 2026 exploiting the npm binding.gyp native-build step. Protos Labs also confirmed that malicious packages in these campaigns carried valid SLSA provenance attestations, a finding with broad implications for software supply-chain security standards.
The firm's public reporting on the Shai-Hulud campaign provided the primary technical analysis used by the wider security community to understand the scope of UNC6780's open-sourcing strategy and the binding.gyp evasion vector. This kind of disclosure work, characterising novel frameworks shortly after their release, is a core function of boutique threat intelligence firms that can move faster on emerging campaigns than larger vendors with broader product commitments.
Protos Labs occupies a niche between enterprise threat-intelligence platforms and academic security research, producing practitioner-facing reports aimed at security operations teams and package-registry administrators. Its focus on software supply-chain security positions it in an increasingly competitive space alongside firms such as Snyk and Socket Security.