InsightsCybersecurity
The "Mini Shai-Hulud" and "Megalodon" Campaigns: Why Your Software Supply Chain Is Now the Front Door
Mini Shai-Hulud and Megalodon show how attackers target CI/CD, package registries, and build trust, not your production servers. What that means for business risk, and what to do now.
A few years ago, most companies worried mainly about attackers breaking into production systems. Today, the more uncomfortable scenario is that attackers may not need to break into your application at all. They can target the systems that build, test, package, and publish it.
That is the important lesson from the Mini Shai-Hulud and Megalodon campaigns. These were not simple cases of someone uploading a suspicious package and hoping nobody noticed. They targeted the trust machinery behind modern software development: package repositories, CI/CD pipelines, developer environments, cached build artifacts, cloud credentials, OIDC tokens, and build provenance.
In plain English: the systems teams rely on to ship software quickly became the attack surface. Convenient for developers. Also very convenient for attackers, sadly.
What happened?
In mid-2026, the threat actor group Team PCP heavily compromised npm and pip package ecosystems, affecting hundreds of projects and packages with more than 500 million downloads.
The campaigns worked because modern software development is deeply connected. Developers install open-source packages. CI/CD pipelines build applications automatically. Package registries distribute updates. Cloud platforms trust short-lived identity tokens. Build systems generate provenance metadata to prove where software came from.
All of that trust is useful. It is also exactly what the attackers abused.
With Mini Shai-Hulud, attackers poisoned CI/CD caches and extracted OIDC tokens. This allowed them to publish malicious packages that appeared to come from legitimate build processes. Some packages even carried valid build provenance, which is the nasty part. The badge looked real, but the package was not safe.
With Megalodon, the focus expanded into mass repository compromise and malicious workflow injection. Attackers targeted GitHub repositories and CI/CD workflows to harvest secrets, cloud credentials, SSH keys, publishing tokens, and other sensitive information.
This was not malware sitting quietly in a forgotten dependency. This was malware going after the software factory itself.
Why valid provenance was not enough
Build provenance is meant to answer an important question: was this software built by the process we trust?
That is valuable, but it does not automatically answer a second, equally important question: was the trusted process already compromised?
That distinction matters. If attackers poison a build cache, manipulate a workflow, or steal the token used by a trusted pipeline, the resulting package can still look legitimate. The paperwork checks out, while the contents quietly do something hostile.
Think of it like receiving a sealed delivery box from a trusted supplier. The label is real, the route is real, and the supplier name is real. Unfortunately, the box may still contain something you really did not order.
No jargon tax. Just a very expensive assumption.
The attack chain in simple terms
| Target | What attackers abused | Why it matters |
|---|---|---|
| npm and pip packages | Malicious package versions | Developers and CI systems may install them automatically |
| CI/CD caches | Poisoned build artifacts | Trusted jobs can reuse attacker-controlled content |
| OIDC tokens | Short-lived identity tokens | Attackers can publish as trusted pipelines |
| GitHub workflows | Malicious workflow changes | Secrets can be harvested during builds |
| Developer environments | Local tokens and credentials | One machine can expose many systems |
| Build provenance | Valid metadata on poisoned packages | Security tooling may trust the wrong thing |
The uncomfortable reality is that many organisations designed these systems for speed first and security second. Attackers noticed, and they are now targeting the gaps between convenience and control.
Why business owners should care
This is not only a developer problem.
If your company builds software, uses cloud infrastructure, relies on SaaS platforms, or works with external development teams, your software supply chain is part of your business risk. A compromised package or CI/CD pipeline can expose far more than source code. It can give attackers access to the systems that deploy, configure, and operate your business-critical applications.
| Asset | Business impact |
|---|---|
| GitHub tokens | Source-code access or repository tampering |
| Cloud credentials | Infrastructure compromise or data exposure |
| CI/CD secrets | Deployment pipeline takeover |
| SSH keys | Server access |
| API keys | Third-party service abuse |
| Publishing tokens | Malicious software released under your name |
The biggest risk is not only theft. It is trust.
If attackers publish malicious packages through your pipeline, customers may see the software as coming from you. Because technically, it did. That turns a technical incident into a customer trust issue, legal issue, brand issue, and board-level headache. A charming little combo platter nobody ordered.
Why this changes the security conversation
Many teams already follow the usual security checklist. They enable MFA, scan dependencies, generate SBOMs, sign builds, use trusted publishing, enable provenance, and automate deployments. Those are good practices, and they should stay.
The problem is that Mini Shai-Hulud and Megalodon show attackers moving deeper into the development process. They are no longer only stealing passwords or exploiting production servers. They are attacking workflow design, token scope, cache behaviour, developer tooling, and automation trust.
That means CI/CD can no longer be treated as background plumbing. It needs the same level of attention as production, because attackers already see it as a route into production.
What teams should do now
This is not a moment for panic. Panic is noisy, expensive, and usually terrible at YAML. It is, however, a good moment to tighten the basics and review whether your software delivery process is actually as trustworthy as everyone assumes.
| Priority | Action | Why it matters |
|---|---|---|
| Audit dependencies | Check whether affected packages or versions were used | Malicious code may have executed during install or build |
| Rotate secrets | Replace GitHub, npm, pip, cloud, SSH, and CI/CD credentials | Exposed secrets should be treated as burned |
| Review workflows | Inspect GitHub Actions and pipeline changes | Workflow files can become attack tools |
| Lock down OIDC | Restrict trusted publishing by branch, workflow, job, and environment | Broad trust creates broad blast radius |
| Harden runners | Use ephemeral runners and isolate build environments | CI runners often touch sensitive secrets |
| Review caches | Clear and validate build caches | Poisoned caches can survive clean-looking builds |
| Monitor provenance carefully | Treat provenance as one signal, not proof of safety | Valid metadata can still wrap poisoned output |
| Watch developer machines | Check local tools, tokens, config files, and persistence hooks | Developers are now part of the security perimeter |
Secure the pipeline like it ships your business, because it does.
The bigger lesson
Open-source packages are powerful. CI/CD automation is essential. OIDC is useful. Build provenance matters. Package registries keep modern development moving. None of these things are bad. In fact, most modern software teams could not operate efficiently without them.
But they cannot be treated as magic shields. They need clear trust boundaries, least-privilege access, active monitoring, proper review, and reliable governance. Not because governance sounds exciting, because it does not. But because boring controls are often what prevent very exciting incidents.
And in cybersecurity, “exciting” is usually code for “someone is having a bad week.”
Final thought
The next major breach may not start with a phishing email or an exposed production server. It may start with a package update, a CI/CD cache, a GitHub workflow, or an OIDC token minted by a pipeline everyone trusted because “that is just how the build works.”
That is why knowing about campaigns like Mini Shai-Hulud and Megalodon matters. They are not just incidents. They are warnings about where attackers are going next.
Your software supply chain is no longer background plumbing. It is part of your security perimeter. And like all important plumbing, you usually only realise how much it matters when it breaks.