The Hacker Group Turning Supply Chain Attacks Into a Sport | Threat Wire

The episode spotlights a new wave of software supply‑chain abuse centered on the open‑sourced “mini Shai Hulud” worm. Its creators have partnered with Breach Forums to award a $1,000 crypto prize to the attacker who generates the most downstream package downloads, effectively turning a destructive worm into a competition.

In the same week RubyGems endured a coordinated spam‑publish DDoS that forced the registry to suspend new account creation and purge over 500 malicious packages. Meanwhile, the TanStack JavaScript namespace saw 84 malicious versions pushed through a forged pull‑request and GitHub Actions cache‑poisoning technique, affecting 42 packages and later expanding to 373 packages across 169 namespaces.

Team PCP added a whimsical twist: a “roulette.py” module that reads time‑zone and language data, rolls a die, and, on a hit, plays loud music before executing an rm‑rf on systems in targeted regions. The worm also installs a dead‑man‑switch monitor that self‑destructs if its GitHub token is revoked, a behavior documented by JFrog and upwind.io.

These incidents underscore the fragility of the JavaScript ecosystem, where millions of projects rely on NPM and rapid package publishing. Organizations must enforce strict token management, implement robust rate‑limiting, and treat supply‑chain threats as a core risk, especially as attackers monetize exploits through bounties and public competitions.