Shai-Hulud
Shai-Hulud is UNC6780's supply-chain worm framework, released as open-source on GitHub under an MIT licence on 12 May 2026 with a $1,000 Monero bounty, enabling copycat campaigns including Megalodon.
Last refreshed: 14 June 2026 · Appears in 1 active topic
If a worm kit is MIT-licensed and carries a bounty, who is legally responsible for the campaigns it spawns?
Timeline for Shai-Hulud
Attack worm kit now open-sourced freely
Cybersecurity: Threats and Defences- What is Shai-Hulud and why was it released as open source?
- Shai-Hulud is a supply-chain worm framework built by UNC6780/TeamPCP and released on GitHub under an MIT licence on 12 May 2026 with a Monero bounty, explicitly designed to commoditise repository-poisoning attacks.Source: Protos Labs
- How did Megalodon poison so many GitHub repositories so quickly?
- Megalodon used the Shai-Hulud framework to automate injection of malicious payloads into GitHub Actions workflows, compromising 5,561 repositories in roughly six hours on 18 May 2026.Source: Protos Labs
- Does SLSA provenance actually prevent supply-chain attacks?
- Not entirely. Packages poisoned in the Shai-Hulud campaigns carried valid SLSA provenance attestations, showing that if the build pipeline itself is compromised the cryptographic signatures remain valid.Source: Protos Labs
- What is the connection between Shai-Hulud, Megalodon, and Phantom Gyp?
- Megalodon is a copycat campaign that used the Shai-Hulud framework, and Phantom Gyp is a Shai-Hulud variant that evades hook monitors by executing through Node's native build compiler step.Source: Protos Labs
Background
Shai-Hulud is a supply-chain worm framework developed by the threat actor cluster UNC6780 (also tracked as TeamPCP) and released as open-source on GitHub on 12 May 2026 under an MIT licence. The release included a $1,000 Monero bounty for the largest attack campaign built on the kit, explicitly incentivising third parties to scale exploitation. Within days, a copycat operation tracked as Megalodon used the framework to poison 5,561 GitHub Actions repositories in six hours. A further variant, Phantom Gyp, emerged on 3 June and extended the evasion surface by targeting the npm binding.gyp native-build step.
The framework automates industrial-scale repository poisoning, injecting malicious payloads into legitimate dependency chains. A particularly significant finding from the Megalodon and Phantom Gyp campaigns was that affected packages carried valid SLSA provenance attestations, demonstrating that cryptographic supply-chain Integrity standards do not guarantee code Integrity when the build pipeline itself is compromised. This challenges a foundational assumption of the SLSA (Supply-chain Levels for Software Artefacts) framework adopted by major cloud providers.
Shai-Hulud's open-sourcing represents a shift in attacker economics: previously, worm frameworks of this sophistication were closely held by state-adjacent actors. Free release under a permissive licence, combined with financial incentives, lowers the barrier for organised criminal groups and script-level actors to mount campaigns that previously required significant capability. Security teams face a sustained wave of Miasma and derivative variants as the ecosystem commoditises.