The AI Coding Agent Is Now the Attack Surface

Six days before 5,561 GitHub repositories were hit with 5,718 malicious commits in a single afternoon, the threat group that carried out the attack released its toolkit on GitHub as open-source software. The May 12 publication of the Shai-Hulud framework — a modular TypeScript/Bun offensive tool for supply chain compromise — was removed within hours, but not before copies were mirrored online. Within a week, four copycat packages were deploying DDoS botnets using cloned versions. The open-source release was not a footnote to the attack. It was the escalation.

The campaign, by a group calling itself TeamPCP, was documented in a note published two days ago by the Cloud Security Alliance's research arm. CSA Research Note The first wave had targeted AI developer tooling specifically. Datadog Security Labs' static analysis of the framework, also published two days ago, confirms the payload scans for .claude.json, .claude/mcp.json, and .kiro/settings/mcp.json — configuration files used by AI coding agents — and plants poisoned .claude/settings.json and .vscode/tasks.json in victim repositories. The goal, Datadog found, was to use AI coding agents as outbreak nodes: when an agent reads the poisoned config, it carries the infection into every subsequent repository it touches. SafeDep, which published the first technical analysis of the campaign on May 11, documented the same propagation mechanism as an indicator of compromise — the capability was planted, not confirmed detonated in the wild.

The execution chain that enables that propagation is the detail security teams need to understand. TeamPCP targeted GitHub's automated testing pipeline — the CI/CD workflow that runs every time a developer submits code — to get malicious code executing at the trust level of the base repository. From inside the pipeline, it extracted an OIDC token directly from the GitHub Actions runner's process memory. No phishing. No credential stuffing. No npm token theft. It used that token to publish malicious package versions from inside the legitimate publish pipeline, which means those packages carried valid SLSA Build Level 3 provenance attestations — the cryptographic verification that developers and security teams were told to trust as a safety signal was defeated by attacking the build process itself, as Tenable confirmed.

The credential harvest is thorough. AWS IMDS, GCP metadata endpoints, Kubernetes service account tokens, Vault, ~/.npmrc, GitHub tokens, and SSH keys all get swept. There is also a kill switch. The payload installs a daemon called gh-token-monitor that polls GitHub every 60 seconds. If it detects that a stolen token has been revoked, it executes rm -rf ~/ — wiping the victim's home directory. On macOS it persists as a LaunchAgent; on Linux as a systemd user service. Orca Security documented the full behavior: revoke your compromised token to clean up your access, and you lose your files. The standard incident response playbook is now a destructive trigger.

The blast radius spans registries developers rely on daily: TanStack's router ecosystem, all three Mistral AI SDKs on both npm and PyPI, UiPath's entire npm scope, OpenSearch's JavaScript client, and Guardrails AI on PyPI — 170 npm packages and 2 PyPI packages across 404 malicious versions, published in a five-hour window on May 11, according to SafeDep. Sonatype's 2026 threat report notes that 454,600 new malicious packages were identified in 2025 alone, bringing the known total to over 1.233 million across npm, PyPI, Maven, NuGet, and Hugging Face.

TeamPCP has been running this campaign family since September 2025. Shai-Hulud was first; SHA1-Hulud followed in November with improved credential harvesting and wiper functionality; SANDWORM_MODE arrived in March 2026 with adaptive targeting of CI/CD pipeline structures. Mini Shai-Hulud, the fourth generation, added the AI coding agent propagation vector and the SLSA provenance forgery. Tenable confirmed the provenance forgery was the first time cryptographic verification was defeated by a process-integrity attack rather than signature forgery.

OpenAI confirmed that two employee devices were affected by the first wave, according to Reuters. No user data was breached, the company said, and code-signing certificates were rotated. Mistral AI, UiPath, and TanStack all published clean versions and security advisories. npm and PyPI removed the malicious versions.

The question for enterprises that deployed AI coding agents during the May 11 window is not whether the attack was sophisticated — it was. The question is whether the ecosystem understands what it has built. The tools that developers trust to make them more productive are now also the tools that can spread a supply chain infection through configuration files. The infected packages are gone from the registries. But any repository an AI coding agent touched during that window may now carry poisoned .claude/settings.json files, and there is no retroactive scan that can tell a company which of their repositories were touched. The next time a clean developer clones that repository and their AI coding agent reads the workspace config, the cycle begins again.

Mini Shai-Hulud is not noise. It is the first attack campaign that treats AI coding agent propagation as a core feature rather than an incidental side effect, and the first to make the industry's cryptographic trust infrastructure irrelevant as a defensive control by publishing from inside the trusted pipeline rather than forging around it. The 1.233 million malicious packages in the cumulative Sonatype count are mostly noise — spam, typosquats, low-sophistication theft. This is different. Every developer who has added an AI coding agent to their workflow since May 11 should assume their repository graph may have been touched. The cleanup is going to be expensive, and the infection vectors are still latent in any codebase the agent wrote to.