Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Shifty Corsair evolves open-source supply-chain tradecraft with fake firms, layered packages, and AI-assisted deception

Threat Actor Meta
First reported
Last updated
Happening score
H score 43
1 unique sources, 1 articles

Summary

Hide ▲

Shifty Corsair has expanded its operating model into a more convincing developer-lure ecosystem, increasing the risk of open-source supply-chain compromise against Web3 targets. The group now combines fake companies, fake job interviews, layered package delivery, and AI-generated code to make malicious projects look legitimate. Its reach spans npm, PyPI, and GitHub-hosted artifacts, showing a broader and more adaptive delivery network. That shift matters because it improves deception, evasion, and scale across multiple package ecosystems.

Related Happenings

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

TeamPCP supply-chain ecosystem shift and extortion partnerships

Threat Actor Meta
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...

Open Happening

TeamPCP opens its offensive framework to copycat supply-chain attackers

Threat Actor Meta
First: 19.05.2026 07:54 Last: 19.05.2026 07:54 Sources 1

About this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....

Open Happening

TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline

Threat Actor Meta
First: 18.05.2026 22:53 Last: 18.05.2026 22:53 Sources 1

About this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Timeline

  1. 29.04.2026 17:43 2 articles · 28d ago

    PromptMink and related supply-chain tradecraft are publicly disclosed

    Initial Disclosure

    A North Korean supply-chain malware campaign linked to Famous Chollima, also known as Shifty Corsair, combines AI-assisted package creation, layered npm dependencies, and typosquatting to hide malicious code in packages such as @validate-sdk/v2 and @hash-validator/v2, steal crypto wallet credentials and funds, and extend delivery into PyPI and GitHub-hosted artifacts for Web3 developer targets.

    Show sources
    Open in new tab