Recent npm, Shai-Hulud and TeamPCP Exposure Check

Concerned about recent npm, Shai-Hulud and TeamPCP? Confirm your exposure in 30 minutes

A Kodem Security engineer will work with you to determine whether your environment is impacted by the recent npm, Shai-Hulud and TeamPCP supply chain campaign in ~30 minutes.

You can check for packages. We can tell you if the payload ran.

Request Exposure Check

A Kodem Security engineer will work with you to determine whether your environment is impacted by the TeamPCP supply chain campaign in ~30 minutes.

Illustration of a production environment under a protective glass dome

Our assessment

In your 30-minute exposure assessment, you will:

Identify dependencies affected by the recent npm, Shai-Hulud and TeamPCP campaign in your repositories.

Validate runtime exposure and see what's actually exploitable in production.

Prioritize remediation based on actual risk.

Get clear, actionable next steps.

How it Works

On the call:

1.

A security engineer provides access to a Kodem tenant.

2.

Connect your repository.

3.

Validate what actually executed in runtime.

What we validate:

Execution of recent npm, Shai-Hulud and TeamPCP-related code paths.

Credential exposure (tokens, env, CI secrets).

Persistence or follow-on activity.

Runtime reachability and exploitability.

Why this matters

Recent npm, Shai-Hulud and TeamPCP is a supply chain campaign, not a single CVE. The attack impacts trusted components across the development lifecycle, including:

CI/CD workflows.

Package registries (npm, PyPI).

Widely used developing tooling (liteLLM, Telnyx, Trivy).

Get clear, actionable next steps.

Static analysis alone can’t confirm exposure, you need to know what actually ran.

Request Exposure Check

A Kodem Security engineer will work with you to determine whether your environment is impacted by the recent npm, Shai-Hulud and TeamPCP supply chain campaign in ~30 minutes.

Want more context?

Mini Shai-Hulud Strikes PyTorch Lightning and intercom-client: Inside the Cross-Ecosystem Supply Chain Attack

Mini Shai-Hulud compromised PyTorch Lightning (2.6.2, 2.6.3) and intercom-client (7.0.4). Affected versions, IOCs and response runbook.

shai-hulud worm sap packages thumbnail image

Want more context?

The Shai-Hulud Worm Returns: New npm Supply Chain Attack Compromises SAP Packages

The Shai-Hulud worm targets SAP npm packages via preinstall scripts. See affected packages, IOCs, and detection guidance for this supply chain attack.

Want more context?

When the Supply Chain Becomes the Attack Surface: Inside the TeamPCP Campaign

In March 2026, a widely trusted security tool was turned into an attack vector. Trivy, an open-source vulnerability scanner used across CI/CD pipelines, was compromised and used to exfiltrate sensitive credentials from build environments.