HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

TeamPCP Supply Chain Campaign Compromises Checkmarx Jenkins Plugin and Spreads Mini Shai‑Hulud Worm via npm & PyPI

TeamPCP has confirmed a breach of the Checkmarx Jenkins CI/CD plugin and released a self‑spreading Mini Shai‑Hulud worm that infects npm and PyPI packages. The campaign threatens any organization that relies on compromised build tools or consumes affected open‑source components, making third‑party risk management urgent.

LiveThreat™ Intelligence · 📅 May 19, 2026· 📰 isc.sans.edu
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
isc.sans.edu

TeamPCP Supply Chain Campaign Compromises Checkmarx Jenkins Plugin and Spreads Mini Shai‑Hulud Worm via npm & PyPI

What Happened — The threat‑actor group TeamPCP escalated its supply‑chain operations, confirming a compromise of the Checkmarx Jenkins plugin used in CI/CD pipelines and releasing a self‑propagating Mini Shai‑Hulud worm that targets packages on npm and PyPI. The worm injects malicious payloads into newly published modules, enabling further compromise of downstream applications.

Why It Matters for TPRM

  • Supply‑chain compromises can silently embed malicious code into software that third‑party vendors deliver to your organization.
  • CI/CD tool compromises bypass traditional perimeter defenses, giving attackers footholds in build environments.
  • Widespread package‑registry infection amplifies risk across any organization that consumes open‑source components.

Who Is Affected — Technology & SaaS firms, software development houses, CI/CD service providers, and any enterprise that integrates open‑source packages from npm or PyPI.

Recommended Actions

  • Audit all third‑party CI/CD plugins, especially Checkmarx, for unauthorized changes.
  • Enforce strict SBOM verification and provenance checks for npm/PyPI dependencies.
  • Apply network segmentation and runtime integrity monitoring to build servers.

Technical Notes — Attack vector: compromised third‑party dependency (Checkmarx Jenkins plugin) and malicious package publication (npm/PyPI). The Mini Shai‑Hulud worm leverages package‑registry write permissions to self‑replicate. No specific CVE disclosed; the threat relies on trust relationships and inadequate package vetting. Source: SANS Internet Storm Center

📰 Original Source
https://isc.sans.edu/diary/rss/32994

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →