Last Updated On
Shai-Hulud Worms Back, Tycoon2FA Hijacks Microsoft 365 OAuth Tokens
Active npm supply chain malware affecting over 160 packages, an evolving Microsoft 365 device-code phishing kit, and a high-severity AI library RCE dominate today's brief. Developer credentials, OAuth tokens, and ML pipelines are the targets.
8.8
CVSS Score
2
IOC Count
11
Source Count
82
Confidence Score
CVE-2026-44513 (Hugging Face diffusers, improper control of dynamic code generation, RCE, fixed in version 0.38.0; NVD confirmed, GHSA-98h9-4798-4q5v)
TeamPCP (Shai-Hulud origin), Tycoon2FA operators (Under Attribution)
Technology, Financial Services, Developer Infrastructure, Cloud Services, AI and Machine Learning, Automation and RPA
Global
Chapter 01 - Executive Overview
Over the past 24 to 48 hours, three developments dominate the threat landscape: renewed and escalating abuse of leaked Shai-Hulud malware across the npm ecosystem spanning over 160 compromised packages, the confirmed evolution of the Tycoon2FA phishing-as-a-service kit to abuse OAuth 2.0 device-code flows against Microsoft 365 accounts, and a high-severity remote code execution vulnerability in Hugging Face's diffusers library (CVE-2026-44513) that exposes AI and machine learning pipelines to arbitrary code execution. Together these incidents reflect a convergence of attacker tradecraft on developer ecosystems, identity infrastructure, and AI tooling rather than traditional network perimeter services.
Shai-Hulud npm Worm Resurgence and Copycat Expansion: Software Supply Chain at Scale
The Shai-Hulud npm worm, originally documented by Unit 42 and Wiz Research in late 2025, has re-emerged in a significantly expanded form following TeamPCP's deliberate public leak of the source code.
OX Security identified four new malicious npm packages published under the deadcode09284814 account using unmodified leaked code, targeting developer credentials, secrets, and cryptocurrency wallets.
Aikido Security independently confirmed a separate Mini Shai-Hulud campaign that compromised over 160 npm packages, including packages linked to TanStack and Mistral, substantially expanding the blast radius.
The worm behavior is self-propagating: once it harvests tokens and credentials, it creates public GitHub repositories containing stolen secrets and republishes tainted package versions, meaning a single compromised developer account can cascade into CI/CD and cloud compromise at scale.
Some copycat variants add destructive fallback behavior, including secure overwrite of user home directories if credential theft fails.
Risk decision for leadership: Escalate. Treat this as an active software supply chain emergency. Freeze or tightly review all new npm dependencies for critical code paths. Rotate developer tokens and secrets on any system where a suspect package was installed. Do not wait for confirmed compromise before acting.
Tycoon2FA Device-Code Phishing Against Microsoft 365: Identity and OAuth Token Abuse
The Tycoon2FA phishing-as-a-service kit has adopted the OAuth 2.0 Device Authorization Grant flow to hijack Microsoft 365 accounts, as documented by eSentire Threat Response Unit in a May 2026 analysis of campaigns active from late April.
The delivery chain begins with an email containing a Trustifi click-tracking URL, passes through several redirections, and delivers victims to a convincing corporate-styled page instructing them to enter a verification code at microsoft.com/devicelogin, a legitimate Microsoft endpoint.
Because the entire authentication flow occurs on genuine Microsoft infrastructure, traditional URL-based phishing defenses do not block this technique. Once the victim completes the device-code login, the attacker's device receives access and refresh tokens providing persistent access to email, files, and connected applications.
This represents a significant evolution from Tycoon2FA's earlier adversary-in-the-middle proxy approach. Tokens obtained this way remain valid until explicitly revoked, giving attackers sustained dwell time in Microsoft 365 tenants.
Risk decision for leadership: Escalate. Device-code phishing is a strategic identity risk requiring immediate review of OAuth sign-in telemetry, conditional access policies, and token revocation workflows. This is not a perimeter security problem. It is an identity security problem.
CVE-2026-44513 in Hugging Face Diffusers: AI Pipeline Exposure
CVE-2026-44513 is a high-severity remote code execution vulnerability in the Hugging Face diffusers library prior to version 0.38.0, confirmed by NVD and multiple vendor advisories with an assessed CVSS score of 8.8.
The flaw allows arbitrary code execution even when users explicitly set trust_remote_code to False, because the safety gate was implemented inside the download function rather than at the dynamic module load site, leaving multiple bypass paths open.
Affected code paths include specifying a malicious custom_pipeline repository while loading a different primary repository, using local snapshots that bypass the download function entirely, and loading custom component files referenced in model_index.json.
Any environment that permits model loading from unreviewed repositories or local snapshots is in scope, including GPU clusters, notebook environments, and production inference services.
Risk decision for leadership: Monitor with urgency. Upgrade to diffusers 0.38.0 or later and restrict unreviewed custom pipeline usage immediately. Operational impact is lower than the active phishing and supply chain campaigns, but AI platforms must be treated as first-class systems in vulnerability management.
Defender Urgency Ranking
Priority 1: Shai-Hulud npm worm expansion. Do this now: identify and quarantine systems where known malicious packages were installed; rotate all exposed developer secrets immediately. Do this within 24 hours: implement automated scanning for malicious package names and enforce least-privilege CI/CD secret scopes.
Priority 2: Tycoon2FA device-code phishing. Do this now: review OAuth device-code sign-in logs and revoke suspicious token grants in Microsoft Entra ID. Do this within 24 hours: configure conditional access restrictions on device-code flows and brief helpdesk on recognition patterns.
Priority 3: CVE-2026-44513. Do this now: identify all environments running diffusers prior to 0.38.0 and block unreviewed custom pipeline loading. Do this within 24 hours: schedule upgrades and add version enforcement to deployment pipelines.
Chapter 02 - Threat & Exposure Analysis
Shai-Hulud npm Worm: Mechanism, Propagation, and Expanded Blast Radius
Shai-Hulud embeds malicious JavaScript into npm packages, typically in install or post-install lifecycle scripts, so code executes automatically when a package is installed or built in developer or CI environments. No user interaction beyond package installation is required.
On execution, the malware searches for sensitive files and environment variables including .npmrc, GitHub Personal Access Tokens, cloud provider credentials (AWS, GCP, Azure), and secrets accessible through configuration files. It exfiltrates all harvested material to attacker-controlled infrastructure.
The worm's self-propagation mechanism is the defining characteristic: using stolen credentials, it programmatically creates public GitHub repositories containing exfiltrated secrets, then republishes compromised versions of additional npm packages under the victim maintainer's account, extending infection to downstream consumers of those packages.
Unit 42's documentation of Shai-Hulud 2.0 confirms the worm continued to refine this propagation loop, improving its credential-harvesting scope and package republishing speed after the initial September 2025 campaign.
The Aikido Security Mini Shai-Hulud finding is strategically significant: over 160 npm packages compromised including packages tied to TanStack (widely used in React and Vue ecosystems) and Mistral (prominent AI tooling), meaning the infection radius extends into frontend developer tooling and AI/ML dependency chains simultaneously.
Copycat actors using the deadcode09284814 npm account deployed four packages with Axios and utility library typosquatting names. One variant (axois-utils) added a persistent DDoS botnet capability called "phantom bot" supporting HTTP flood, TCP flood, UDP flood, and TCP reset attack modes, demonstrating that copycat actors are extending the original worm's capabilities beyond credential theft.
Some copycat variants include a destructive fallback: if credential theft fails or certain conditions are met, the malware executes a secure overwrite of the user home directory, converting a failed exfiltration attempt into a destructive incident.
The public release of Shai-Hulud source code by TeamPCP on GitHub in May 2026 has lowered the barrier to entry for copycat operators significantly. Further novel variants should be anticipated across npm, PyPI, and potentially RubyGems in the near term.
Strategic risk framing:
A single compromised developer account can cascade through an entire organization's CI/CD pipeline, cloud environments, and production services via the self-propagation loop.
The npm ecosystem's default trust model (public packages, automatic install script execution) means there is no friction between package installation and full credential exfiltration.
The combination of data theft, automated propagation, and destructive fallback makes this a multi-mode threat, not a single-purpose infostealer.
Tycoon2FA Device-Code Phishing: Technique, Token Acquisition, and Detection Evasion
The OAuth 2.0 Device Authorization Grant was designed for input-constrained devices such as smart TVs and streaming devices that cannot easily open a browser. It allows a device to request a short user code and polling URL from an authorization server, then instructs the user to complete authentication on a separate device at a trusted URL.
Tycoon2FA operators abuse this legitimate flow by programmatically initiating a device authorization request against Microsoft's OAuth endpoint, obtaining a valid user code and device code pair, then socially engineering the victim into completing the authentication at the real microsoft.com/devicelogin endpoint.
The delivery chain documented by eSentire TRU: the victim receives an email containing a Trustifi click-tracking URL; multiple redirections follow through staging infrastructure; the victim lands on a convincing corporate-styled page presenting the user code and instructing them to visit microsoft.com/devicelogin; the victim authenticates with their real credentials and any MFA method they normally use; consent is granted; the attacker's polling loop completes and receives access and refresh tokens.
Because authentication occurs entirely on legitimate Microsoft domains, the victim's browser shows genuine Microsoft SSL certificates. No credential harvesting page, no fake login form, no suspicious URL is presented to the victim at the moment of authentication.
This technique bypasses all traditional MFA methods including TOTP codes, push notifications, and SMS, because the victim is completing a genuine authentication that Microsoft processes normally. Only phishing-resistant MFA tied to a specific authenticator device (such as passkeys or FIDO2 hardware tokens) would prevent token issuance to an unauthorized device.
Tokens obtained via this method include both access tokens and refresh tokens. Refresh tokens provide persistent access that survives password resets unless explicitly revoked, giving attackers sustained dwell time within Microsoft 365.
Tycoon2FA's prior adversary-in-the-middle capability for session cookie theft means operators may combine both techniques: device-code token theft for initial access and session cookie harvesting for lateral persistence across additional accounts.
Strategic risk framing:
The attack surface is every Microsoft 365 user who can receive email. No vulnerability, no unpatched software, and no misconfiguration is required on the victim's device.
Detection requires identity telemetry and anomaly analysis, not perimeter or endpoint controls.
The use of Trustifi click-tracking URLs as an initial delivery mechanism suggests Tycoon2FA operators are actively using legitimate marketing and email infrastructure to evade email security filtering.
CVE-2026-44513 in Hugging Face Diffusers: Root Cause and Affected Environments
The vulnerability arises from improper placement of the trust_remote_code safety gate in the diffusers library. The gate was implemented inside DiffusionPipeline.download() rather than at the dynamic module import site, meaning any code path that reaches module loading without passing through the download function bypasses the check entirely.
Confirmed bypass paths per NVD and vendor advisories:
Specifying custom_pipeline='attacker/repoB' while loading repoA causes module loading from repoB to occur without the download function being invoked for repoB.
Loading from a local snapshot (a pre-downloaded model directory) bypasses the download function entirely, so trust_remote_code=False provides no protection for local snapshot loads.
Loading custom component files referenced in model_index.json follows a code path that does not invoke the trust_remote_code check.
The CVSS score of 8.8 reflects high confidentiality, integrity, and availability impact. Attack complexity is low once an attacker can influence model repository contents or snapshot directories, which is achievable via poisoned model uploads on public model hubs or via supply chain compromise of model artifacts in internal registries.
Affected scope: all environments running Hugging Face diffusers prior to version 0.38.0 that load pipelines from any external or unreviewed source, including notebook environments, production inference services, and CI/CD pipelines that perform automated model testing or evaluation.
The fix in version 0.38.0 relocates the trust_remote_code check to the dynamic module load site, closing all documented bypass paths.
Cross-Incident Pattern Analysis
All three incidents share a single strategic thread: attackers are exploiting trust in legitimate, widely adopted infrastructure rather than exploiting traditional network vulnerabilities.
npm is trusted by default for package installation and script execution.
microsoft.com/devicelogin is a legitimate Microsoft authentication endpoint.
Hugging Face model hubs and repository loading are trusted pathways for AI/ML workflows.
The attacker advantage in all three cases is that the initial trust relationship exists before the attack begins. Defenders cannot break this trust without operational friction; the response must be context-aware controls, behavioral monitoring, and least-privilege enforcement rather than broad blocking.
Chapter 03 - Operational Response
Shai-Hulud npm Worm: Immediate Response and Containment
Containment priorities:
Identify all developer workstations, CI/CD runners, and build agents where any of the following npm packages were installed in the past 14 days: chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils, and any packages published under the deadcode09284814 account. Quarantine these systems immediately pending investigation.
Rotate all credentials and secrets that were accessible on any identified system, including npm tokens, GitHub Personal Access Tokens, AWS/GCP/Azure access keys, database credentials, and any secrets stored in environment variables or configuration files. Treat all harvested secrets as fully compromised.
Audit all npm packages installed across your organization in the past 30 days and cross-reference against known malicious package lists. Extend this audit to CI/CD pipeline dependency resolution logs, not only developer workstation package managers.
Block further installation of identified malicious packages at the proxy, artifact repository, and lockfile level. Remove them from any internal npm mirrors or caches immediately.
Search outbound DNS and HTTP proxy logs for connections to 87e0bbc636999b[.]lhr[.]life, which was the confirmed C2 exfiltration endpoint used by Shai-Hulud copycat packages. Any connection to this domain from a developer or build environment should be treated as confirmed compromise.
Review GitHub audit logs for your organization for any unexpected public repository creation events in the past 30 days, particularly repositories created by developer accounts with names that do not match typical project naming patterns. These may contain exfiltrated secrets published by the worm's propagation mechanism.
Security hardening actions:
Enforce dependency lockfiles (package-lock.json or yarn.lock) for all production and critical build pipelines and ensure lockfile integrity is verified in CI before installation proceeds.
Implement or enforce an internal npm registry that mirrors only vetted package versions, removing direct dependency on public npm for critical pipelines.
Apply least-privilege to all CI/CD secrets. Tokens should be scoped to the minimum required permissions, bound to specific environments, and rotated on a defined schedule. Secrets should not be accessible from developer workstations in production-scope form.
Add software composition analysis tooling (SCA) to all build pipelines as a mandatory pre-build gate, configured to fail builds on detection of known-malicious package names or newly published packages from untrusted accounts.
Internal coordination:
Notify engineering leadership, DevOps, SRE, and platform security teams that active npm supply chain campaigns are in progress and that developer-side compromise can cascade into production cloud environments.
Escalate immediately to the incident response team if evidence of lateral movement, cloud resource abuse, or unauthorized GitHub repository creation is observed following suspected Shai-Hulud activity.
If crypto wallet or financial account credentials were accessible on any affected system, notify the finance or treasury team immediately and coordinate with those platforms for account-level monitoring.
Tycoon2FA Device-Code Phishing: Immediate Response and Containment
Containment priorities:
Pull all OAuth device-code sign-in events from Microsoft Entra ID audit logs for the past 30 days. Filter for device-code grants where the initiating IP address, user agent, or geographic location deviates from the user's typical sign-in pattern.
Revoke access and refresh tokens for all accounts where suspicious device-code activity is identified. Require full re-authentication with a phishing-resistant MFA method for any affected account.
Review and revoke any OAuth application consents granted in the past 30 days where the application is not on an approved list, particularly consents involving high-privilege scopes (Mail.Read, Files.ReadWrite, Calendars.Read).
Implement conditional access policies that restrict device-code authorization flows to managed and compliant devices. Where device-code flows are not operationally required, disable them entirely via Entra ID authentication methods policy.
Search email security logs for inbound messages containing Trustifi click-tracking URLs (trackingfor.email, sendwithtrustifi.com, and related domains) that preceded any identified suspicious device-code events.
Security hardening actions:
Deploy alerting for OAuth device-code sign-ins where the same device identifier is used to authorize more than one account within a short window, or where a device-code grant is followed immediately by bulk mailbox access or file download activity.
Configure Microsoft Entra ID token protection (Conditional Access: Token Protection) where licensed, to bind access tokens to compliant devices and reduce token portability.
Align incident response runbooks to explicitly cover device-code phishing scenarios, including step-by-step guidance for token revocation, session invalidation, mailbox access review, and downstream notification.
Evaluate and deploy phishing-resistant MFA (passkeys or FIDO2 hardware tokens) for high-value accounts including executives, administrators, and finance roles as a priority, as these are the accounts most targeted in token-theft campaigns.
Internal coordination:
Brief helpdesk and frontline IT staff to recognize that a user reporting they were asked to enter a code at microsoft.com/devicelogin following an unexpected email may be describing an active Tycoon2FA attack, not a routine account setup request.
Notify legal and compliance if mailbox or document access review suggests potential exposure of personal data or legally privileged communications, as breach notification assessments may be triggered under applicable data protection regulations.
Coordinate with the Microsoft 365 administration team to ensure unified audit logging is enabled at the maximum retention period and that device-code sign-in events are specifically included in SIEM ingestion pipelines.
CVE-2026-44513: Operational Response in AI Environments
Containment priorities:
Inventory all environments where Hugging Face diffusers is installed. Prioritize internet-connected notebook servers, production inference services, automated model evaluation pipelines, and GPU cluster workloads. Determine which environments are running versions prior to 0.38.0.
For environments running vulnerable versions: immediately restrict or disable use of the custom_pipeline parameter in DiffusionPipeline.from_pretrained calls that reference external or unreviewed repositories. Block dynamic loading from local snapshots that have not been reviewed by a qualified team member.
For production inference services: assess whether model loading occurs at runtime from external sources or from fixed, internally managed snapshots. If external loading occurs, freeze model updates until the upgrade to 0.38.0 is complete and verified.
Security hardening actions:
Upgrade diffusers to version 0.38.0 or later across all environments. Add enforcement to CI/CD pipelines to fail builds that include known-vulnerable versions of diffusers or that use unpinned model repository references.
Implement an approved model repository allowlist within your ML platform. Any pipeline loading from repositories not on the allowlist should require a manual security review before execution.
Add logging around all model loading operations in ML environments so that imports of unexpected modules, network fetches during pipeline initialization, or execution of unusual code paths can be correlated with diffusers usage and escalated if anomalous.
Internal coordination:
Engage data science and ML platform teams to communicate that model-loading APIs can be arbitrary code execution vectors when untrusted content is involved, not merely data ingestion interfaces. This framing is essential for securing cooperation on patching timelines.
Coordinate with cloud operations to monitor for unusual process launches, unexpected outbound network connections, or abnormal file system modifications from ML workloads that could indicate exploitation attempts.
Shai-Hulud npm Worm: Timeline
2025-09-15: Wiz Research publishes initial Shai-Hulud analysis documenting the worm's compromise of over 100 npm packages and its behavior of creating public GitHub repositories to store exfiltrated secrets.
2025-11-24: Unit 42 publishes a detailed analysis of the Shai-Hulud worm including Shai-Hulud 2.0, documenting improved credential harvesting, package republishing mechanisms, and the worm's ability to escalate from developer credential theft to cloud environment compromise.
2026-05-11 (approximate): TeamPCP publicly releases Shai-Hulud source code on GitHub with the message "Here We Go Again. Let the Carnage Continue. A Gift from TeamPCP."
2026-05-16: OX Security identifies four malicious npm packages published under the deadcode09284814 account using unmodified Shai-Hulud code: chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils. Combined download count of 2,678 confirmed at time of discovery.
2026-05-17: BleepingComputer reports the OX Security findings. Packages confirmed active at time of publication.
Date not confirmed in consulted sources: Aikido Security identifies the Mini Shai-Hulud campaign affecting over 160 npm packages including TanStack and Mistral. Published within the current reporting window.
2026-05-18 to 2026-05-19: Packages reported as removed from npm registry following responsible disclosure. Exfiltration infrastructure (87e0bbc636999b[.]lhr[.]life) status as of window close: not confirmed neutralized.
Tycoon2FA Device-Code Phishing: Timeline
Date not confirmed in consulted sources (2025): Microsoft publishes initial Tycoon2FA analysis documenting its use as an adversary-in-the-middle phishing kit harvesting session cookies and bypassing MFA through reverse proxies.
Late April 2026 (date not confirmed in consulted sources): eSentire Threat Response Unit observes new Tycoon2FA campaign variant using OAuth 2.0 Device Authorization Grant flows, with Trustifi click-tracking URLs as the initial delivery mechanism targeting Microsoft 365 accounts.
2026-05-11: eSentire publishes full technical analysis of the Tycoon2FA device-code phishing technique describing the multi-step delivery chain, device-code authorization abuse, and token persistence behavior.
2026-05-16: LinkedIn post and subsequent coverage highlight active Tycoon2FA device-code phishing campaigns targeting Microsoft 365 accounts.
2026-05-18: SC World publishes summary confirming Tycoon2FA's adoption of OAuth 2.0 device-code flows as an active in-the-wild technique.
2026-05-19 (window close): Campaign assessed as ongoing. No disruption of Tycoon2FA infrastructure confirmed in consulted sources.
CVE-2026-44513 in Hugging Face Diffusers: Timeline
2026-05-13: Initial advisories and vulnerability databases document CVE-2026-44513 as a high-severity remote code execution vulnerability in Hugging Face diffusers due to improper control of dynamic code generation. GHSA-98h9-4798-4q5v published.
2026-05-14: NVD publishes CVE-2026-44513 confirming that diffusers prior to version 0.38.0 allows arbitrary code execution even when trust_remote_code is explicitly set to False due to incorrect placement of the safety gate.
2026-05-13 to 2026-05-17: Radar OffSeq, Cyber Defence, and additional security portals confirm CVSS score of 8.8 and verify that upgrading to diffusers 0.38.0 resolves the vulnerability.
2026-05-19 (window close): No confirmed in-the-wild exploitation reported in consulted sources. Patch available. Exploitation feasibility assessed as high for environments that dynamically load unreviewed model repositories.
Chapter 04 - Detection Intelligence
Shai-Hulud npm Worm: Attack Mechanism and Propagation
Entry vector: Malicious npm packages published to the public registry using typosquatting, account compromise, or post-source-code-leak copycat publication. No vulnerability required on the victim system; standard npm install execution is sufficient.
Execution trigger: Post-install (or install) lifecycle scripts defined in the malicious package's package.json execute automatically when the package is installed. Node.js executes these scripts with the full permissions of the invoking user or CI runner.
Credential harvesting targets:
.npmrc files (npm authentication tokens)
GitHub Personal Access Tokens and SSH keys stored in the local environment
Cloud provider credential files and environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GOOGLE_APPLICATION_CREDENTIALS, AZURE_CLIENT_SECRET and equivalents)
Database connection strings in .env and application configuration files
Cryptocurrency wallet files (Exodus, Atomic Wallet, MetaMask extension storage, Ledger Live)
General file system sweep for files matching credential and secret naming patterns on Desktop and Documents
Exfiltration mechanism: Harvested material is exfiltrated via HTTPS POST to the C2 endpoint 87e0bbc636999b[.]lhr[.]life. A secondary exfiltration channel exists via auto-generated public GitHub repositories created using stolen GitHub tokens, where harvested secrets are committed in plaintext.
Self-propagation loop: Using the stolen npm authentication token, the malware publishes new versions of npm packages that the victim account has publish rights to, embedding the same malicious post-install script. Downstream consumers of those packages are infected on their next npm install or update cycle.
Shai-Hulud 2.0 improvements (Unit 42): Faster token enumeration, expanded cloud credential targeting, improved package republishing speed, and refined evasion of npm abuse detection heuristics.
Mini Shai-Hulud expansion (Aikido Security): The same core mechanism applied at scale across over 160 packages. TanStack packages (widely used in React, Vue, and Solid.js development) and Mistral AI tooling packages were confirmed compromised, meaning the attack surface extends into frontend development tooling and AI library dependency chains.
Destructive fallback (copycat variants): If credential theft conditions are not met or exfiltration fails, some copycat variants execute a secure overwrite of the user home directory, converting a failed infostealing attempt into a destructive incident. This behavior was not present in the original TeamPCP Shai-Hulud but appears in at least one of the four packages identified by OX Security.
DDoS botnet addition (axois-utils variant): Deploys a persistent process called "phantom bot" that establishes command-and-control connectivity for HTTP flood, TCP flood, UDP flood, and TCP reset attacks. This converts compromised developer machines into botnet nodes independent of the credential exfiltration objective.
Tycoon2FA Device-Code Phishing: Technique and Token Acquisition
Protocol basis: OAuth 2.0 Device Authorization Grant (RFC 8628). The flow was designed for devices that cannot present a browser directly. A device requests a user code and device code from the authorization server, the user completes authentication on a separate browser-capable device at a specified URL, and the device polls for token issuance.
Tycoon2FA abuse of this flow:
Step 1: Attacker's infrastructure sends an HTTP POST to https://login.microsoftonline.com/common/oauth2/v2.0/devicecode requesting a device code and user code for a targeted scope (such as Mail.Read, Files.ReadWrite, or openid offline_access).
Step 2: Attacker receives a valid user_code (for example: ABCD-EFGH) and begins polling the token endpoint for completion.
Step 3: Victim receives a phishing email containing a Trustifi click-tracking URL. The URL passes through Tycoon2FA staging infrastructure. The victim is presented with a corporate-styled page displaying the user_code and instructing them to visit microsoft.com/devicelogin.
Step 4: The victim navigates to the real microsoft.com/devicelogin, enters the provided code, authenticates with their actual credentials and MFA, and grants consent.
Step 5: Microsoft's token endpoint returns access_token and refresh_token to the attacker's polling device. The victim's authentication is complete and they see a normal Microsoft success page.
Step 6: Attacker uses the access_token for immediate resource access and stores the refresh_token for persistent re-authentication until the token is explicitly revoked or the user changes credentials.
Detection evasion properties:
All authentication occurs on genuine Microsoft domains with valid SSL certificates.
Victim's sign-in event appears in Entra ID logs as a successful device-code authentication with the victim's own credentials and MFA completion.
No credential harvesting page is served; no fake login form is presented to the victim.
Trustifi's legitimate click-tracking infrastructure is used to obscure the initial redirect chain, evading email security URL scanning.
MFA bypass property: The attack does not intercept or bypass MFA codes. It causes the victim to complete a genuine MFA-protected authentication that results in token issuance to an attacker-controlled device. Standard TOTP, push notification, and SMS MFA are all bypassed by design. Only phishing-resistant authenticators bound to a specific device (FIDO2, passkeys) would prevent token issuance to an unauthorized device.
Token persistence: Refresh tokens obtained via this method are valid for the configured token lifetime, which in default Microsoft 365 configurations can be up to 90 days. A password reset by the victim does not invalidate existing refresh tokens unless explicit token revocation is performed by an administrator.
CVE-2026-44513 in Hugging Face Diffusers: Root Cause Analysis
Affected component: DiffusionPipeline.from_pretrained() in Hugging Face diffusers library, versions prior to 0.38.0.
Intended protection: The trust_remote_code parameter was intended to require explicit user opt-in before any remote or custom Python code is executed during model or pipeline loading.
Root cause: The trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic module import site (importlib or equivalent). Any code path that reaches module loading without invoking the download() function bypasses the check.
Confirmed bypass paths (NVD, GHSA-98h9-4798-4q5v):
custom_pipeline bypass: Calling DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB') loads Python code from repoB without invoking the trust_remote_code check for repoB's download.
Local snapshot bypass: Loading from a pre-downloaded local snapshot directory (local_dir or snapshot_download path) does not invoke the download() function, so trust_remote_code=False provides no protection.
model_index.json custom component bypass: Custom component files referenced inside a model's model_index.json are loaded via a code path that does not pass through the trust_remote_code gate.
Exploitability conditions: An attacker must be able to influence model repository contents (via a poisoned upload to a public model hub, a compromised internal model registry, or a malicious model artifact in a supply chain) or place files in a location accessible as a local snapshot. In environments where data scientists load community models from Hugging Face Hub without review, the attack surface is broad.
Fix: Version 0.38.0 relocates the trust_remote_code enforcement to the dynamic module import site, closing all three documented bypass paths regardless of the code path that reaches module loading.
Indicators of Compromise
IOC Type | IOC Value | Context | Verdict |
|---|---|---|---|
Domain (C2) | 87e0bbc636999b[.]lhr[.]life | Command and control endpoint used by Shai-Hulud copycat npm packages to exfiltrate harvested credentials and secrets. Source: BleepingComputer reporting OX Security findings. | Pending enrichment (at the time of writing this) |
CVE Identifier | CVE-2026-44513 | High-severity RCE in Hugging Face diffusers prior to version 0.38.0, allowing arbitrary code execution via trust_remote_code bypass. GHSA-98h9-4798-4q5v. Source: NVD. | Confirmed vulnerability |
npm Package Name | chalk-tempalte | Shai-Hulud clone infostealer. Publisher: deadcode09284814. Source: OX Security via BleepingComputer. | Malicious |
npm Package Name | @deadcode09284814/axios-util | Credential and cloud configuration stealer. Publisher: deadcode09284814. Source: OX Security via BleepingComputer. | Malicious |
npm Package Name | axois-utils | Infostealer plus persistent DDoS phantom bot. Publisher: deadcode09284814. Source: OX Security via BleepingComputer. | Malicious |
npm Package Name | color-style-utils | Cryptocurrency wallet and IP information stealer. Publisher: deadcode09284814. Source: OX Security via BleepingComputer. | Malicious |
npm Account | deadcode09284814 | Threat actor publishing account for all four malicious packages. Source: OX Security via BleepingComputer. | Malicious |
Infrastructure Patterns
Shai-Hulud campaigns:
C2 infrastructure uses dynamically generated subdomain patterns under lhr[.]life and similar hosting providers, which rotate regularly. Point-in-time domain blocking is insufficient; behavioral detection is required.
Stolen credentials are exfiltrated to a secondary channel via auto-generated public GitHub repositories created under compromised maintainer accounts. These repositories are publicly accessible and may persist after C2 takedown, meaning sensitive secrets may remain exposed in public GitHub even after package removal and C2 blocking.
The worm's use of a victim's own npm publish rights means malicious package versions may appear under trusted, high-reputation package names. Package name-based allowlisting alone does not provide complete protection; version pinning and integrity verification are also required.
Copycat actors are using single npm accounts to publish multiple malicious packages in coordinated batches. Account-level monitoring within dependency security tooling can surface these patterns if single-account multi-package publishing is flagged.
Tycoon2FA device-code phishing:
Trustifi click-tracking infrastructure (trackingfor.email and related domains) is being used as an initial redirect layer, abusing a legitimate email marketing service's click tracking to obscure the phishing origin in email security logs.
The device-code polling loop operates against the legitimate Microsoft OAuth endpoint. No dedicated attacker-controlled intermediate infrastructure is involved in the token issuance step, making network-layer detection of the authorization step infeasible without identity telemetry.
Attacker-controlled devices receiving tokens may be cloud virtual machines, anonymized VPN exit nodes, or residential proxy infrastructure. Geographic anomaly detection on subsequent token use is a viable secondary indicator.
No cross-incident infrastructure overlap was confirmed in consulted sources for this window.
Shai-Hulud npm Worm: Detection Opportunities
Immediate detection actions (deploy within 24 hours):
Add the C2 domain 87e0bbc636999b[.]lhr[.]life to DNS blackhole and proxy block lists and enable alerting for any query or connection attempt to this domain from developer workstations, build servers, or CI/CD runners.
Configure alerts for outbound HTTPS connections initiated by node, npm, or sh processes on developer or build systems to domains that are not the npm registry, known CDNs, or approved cloud provider APIs, particularly during package install or build phases.
Search GitHub audit logs for unexpected public repository creation events by organization-linked accounts in the past 30 days. Flag any repository with an auto-generated or non-standard name that was created shortly after an npm install event.
Add the four identified malicious package names and the deadcode09284814 account to your dependency security tooling block list and configure alerting for any attempt to resolve or install them.
SIEM detection pseudocode (npm postinstall network callback):
SIEM detection pseudocode (known Shai-Hulud C2):
YARA pattern concept (Shai-Hulud copycat static detection in npm package files):
Threat hunting hypotheses (hunt this week):
Hypothesis: Developer machines that installed any recently identified malicious npm packages subsequently connected to unusual domains and experienced abnormal Git activity such as unexpected repository creation or token changes. Hunt by correlating npm package installation logs with outbound DNS and HTTP telemetry and GitHub audit events over the past 30 days.
Hypothesis: CI/CD runners that accessed cloud provider APIs shortly after installing new or updated npm dependencies may have been using stolen credentials. Hunt by correlating build pipeline logs, dependency resolution events, and cloud provider audit logs for anomalous API calls following npm install steps.
Hypothesis: Any public GitHub repository created by an organization-linked developer account in the past 30 days with a name that does not match a known project or follows an auto-generated pattern may contain exfiltrated secrets. Hunt by enumerating recently created public repositories and scanning their contents for credential and secret patterns.
Tycoon2FA Device-Code Phishing: Detection Opportunities
Immediate detection actions (deploy within 24 hours):
Enable ingestion of Microsoft Entra ID sign-in logs into your SIEM with specific inclusion of device-code sign-in events. Ensure the authentication method field is captured for all sign-in events.
Configure alerting for device-code sign-in events where the source IP, user agent, or geographic location deviates from the account's established baseline, or where a device-code grant is issued outside of business hours.
Add Trustifi click-tracking domains (trackingfor.email, sendwithtrustifi.com, and related) to email security watchlists. Flag inbound emails containing these URLs for additional user awareness or hold-for-review treatment.
SIEM detection pseudocode (device-code sign-in anomaly):
SIEM detection pseudocode (multi-account device-code reuse):
SIEM detection pseudocode (post-grant bulk mailbox access):
Threat hunting hypotheses (hunt this week):
Hypothesis: Accounts that performed device-code sign-ins in the past 30 days followed by unusual mailbox access patterns, mass message reads, or suspicious file downloads may have been compromised via Tycoon2FA. Hunt across Microsoft 365 unified audit logs and sign-in telemetry correlating authentication method with subsequent resource access volume.
Hypothesis: Multiple high-privilege accounts in the tenant granted consent to the same OAuth application or authorized the same device identifier over a short timeframe, potentially indicating coordinated Tycoon2FA phishing targeting multiple employees simultaneously. Hunt via consent grant logs and device-code sign-in event correlation.
CVE-2026-44513: Detection Opportunities
Immediate detection actions (deploy within 24 hours):
Implement logging for all invocations of DiffusionPipeline.from_pretrained that specify a custom_pipeline parameter referencing an external repository. Treat any reference to a repository not on an approved allowlist as a high-priority alert.
Enable process-level monitoring for Python ML workloads to capture unexpected network connections initiated during model loading operations. An HTTP or HTTPS connection to a Hugging Face Hub repository during from_pretrained execution from a production inference service where model caching should be complete is a meaningful anomaly indicator.
SIEM detection pseudocode (unexpected custom_pipeline reference):
SIEM detection pseudocode (anomalous network fetch during model loading):
Threat hunting hypotheses (hunt this week):
Hypothesis: ML workloads that dynamically downloaded or loaded custom pipelines from external repositories during or after the publication window of CVE-2026-44513 (13 to 14 May 2026) are at elevated risk of compromise. Use model loading logs and network telemetry to identify these workloads and inspect their execution behavior and outbound connection history.
Hypothesis: Hosts running vulnerable diffusers versions show anomalous outbound connections, unexpected file system writes, or new process creation during model loading operations, indicating exploitation attempts. Correlate application logs with network telemetry and EDR process creation events.
No confirmed MITRE ATT&CK technique IDs were cited in any consulted source for this reporting window. MITRE technique IDs are not inferred in this report to preserve analytical integrity. Analysts may use the behavioral descriptions in the Technical Analysis chapter as the evidentiary basis for independent ATT&CK mapping. Once technique IDs are confirmed through primary source citation, this field should be updated and the Adversary Emulation chapter populated accordingly.
Chapter 05 - Governance, Risk & Compliance
Shai-Hulud npm Worm: Regulatory and Business Risk Exposure
Regulatory exposure:
GDPR (EU): If compromised developer credentials provided unauthorized access to systems holding EU personal data, a personal data breach assessment is required. Where a breach is confirmed, Article 33 requires notification to the competent supervisory authority within 72 hours of awareness. Organizations operating in multiple EU member states must coordinate notification across relevant Data Protection Authorities.
DPDP Act (India): If developer credentials granted access to systems holding personal data of Indian individuals, the same unauthorized access event triggers breach notification assessment obligations for data fiduciaries under the Digital Personal Data Protection Act.
PCI-DSS v4.0: If any compromised system or credential provided access to a cardholder data environment, Requirement 12.10 incident response procedures apply, and the organization's PCI Qualified Security Assessor should be notified to assess scope.
SOC 2 / ISO 27001: Supply chain security controls (CC9.2 under SOC 2 Trust Services Criteria; ISO 27001 Annex A control 5.19 on supplier relationships) require organizations to monitor and manage risks from third-party software dependencies. Use of unvetted public npm packages without dependency governance controls may represent a material gap against these frameworks.
Evidence preservation: Preserve npm install logs, CI/CD pipeline execution logs, network egress telemetry, GitHub audit logs, and EDR telemetry from identified systems before remediation proceeds. These are required for both forensic investigation and regulatory reporting.
Business risk impact:
Risk Dimension | Assessment |
|---|---|
Operational | Compromised CI/CD secrets can enable unauthorized code deployments into production. Stolen cloud credentials can be used for resource abuse, data access, or destructive actions. |
Financial | Direct: potential cryptocurrency wallet theft. Indirect: cloud resource abuse costs, investigation and remediation costs, potential regulatory fines. |
Reputational | If downstream consumers of a compromised organization's npm packages are infected via the propagation mechanism, the organization becomes an involuntary participant in the supply chain attack. |
Vendor/third-party | The propagation mechanism means the organization may need to notify downstream package consumers of potential compromise in addition to managing internal remediation. |
Leadership decision: Prioritize investment in software supply chain controls including dependency governance, secret management hygiene, and developer security training as a foundation rather than a project.
Tycoon2FA Device-Code Phishing: Regulatory and Business Risk Exposure
Regulatory exposure:
GDPR (EU): If attackers obtained tokens and accessed mailboxes or document stores containing EU personal data, a personal data breach assessment is required. The complexity of forensic reconstruction for device-code token theft (due to authentication appearing in logs as a legitimate user action) may extend investigation timelines and increase regulatory scrutiny.
NIS2 (EU): Organizations classified as essential or important entities under NIS2 that experience a significant security incident affecting availability or confidentiality of services may have notification obligations to competent authorities within 24 hours (early warning) and 72 hours (incident notification).
SOC 2 / ISO 27001: Identity and access management controls and monitoring requirements are relevant. Evidence of device-code phishing without corresponding detection or response may indicate gaps in access control monitoring.
Evidence preservation: Preserve Microsoft Entra ID sign-in logs, unified audit logs (including MailItemsAccessed events), device-code grant records, and email security logs for the maximum available retention period before any investigation is initiated.
Business risk impact:
Risk Dimension | Assessment |
|---|---|
Operational | Email and document access enables business email compromise, financial fraud, and data theft. Refresh token persistence means attacker access can persist through user password resets without administrative token revocation. |
Financial | Business email compromise enabled by mailbox access can result in direct financial fraud. Investigation and remediation costs are elevated due to the complexity of token-based incident forensics. |
Reputational | Silent mailbox access is difficult to detect without telemetry; extended dwell time increases the volume of information exposed and the potential regulatory and reputational consequences. |
Strategic | Token theft against executive and high-privilege accounts can expose board-level communications, M&A data, legal correspondence, and financial records. |
Leadership decision: Mandate a formal review of identity security controls and incident response readiness for OAuth and token-theft scenarios with dedicated budget allocation. This is not an incremental improvement to existing controls; it requires a specific identity security program.
CVE-2026-44513: AI and Model Supply Chain Governance
Regulatory exposure:
GDPR / DPDP: If ML workloads process personal data and exploitation of CVE-2026-44513 results in unauthorized access to training data, model outputs, or associated databases, breach notification obligations apply.
AI Act (EU, where applicable): Organizations deploying high-risk AI systems under the EU AI Act have obligations around technical robustness and security. A demonstrated RCE vulnerability in a core AI library dependency may be relevant to conformity assessment obligations.
Contractual: Many enterprise ML platform deployments involve contractual commitments to customers or partners regarding data security. Exploitation of ML infrastructure may trigger contractual notification or audit rights.
Business risk impact:
Risk Dimension | Assessment |
|---|---|
Operational | Arbitrary code execution in ML workloads can compromise the integrity of model training, evaluation, and inference outputs, not only data confidentiality. |
Financial | GPU cluster compromise for cryptomining or botnet use can generate significant unplanned cloud compute costs in addition to data breach costs. |
Strategic | If model artifacts or training data are exfiltrated or tampered with, the integrity of AI-driven business decisions may be undermined without immediate detection. |
Governance gap | Many organizations have mature vulnerability management processes for application software but lack equivalent processes for ML libraries and model dependencies. This gap is now a material risk. |
Leadership decision: Direct ML and security leaders to formalize an AI/ML security governance plan that explicitly includes dependency patching cadences for AI libraries, model repository vetting processes, and incident response playbooks for ML workload compromise.
Chapter 06 - Adversary Emulation
No confirmed MITRE ATT&CK technique IDs were cited in consulted sources for this reporting window. The adversary emulation chapter requires confirmed technique evidence with explicit ATT&CK references to generate validated emulation scenarios. This field is intentionally left without emulation content to preserve analytical integrity.
Recommendation: Once ATT&CK technique IDs are confirmed through primary source citation or internal analyst mapping based on the Technical Analysis chapter, return to this field and generate emulation scenarios aligned to those confirmed techniques. Red and purple team exercises for Shai-Hulud npm worm behavior (post-install credential harvesting, CI/CD lateral movement), Tycoon2FA device-code flows (OAuth device authorization abuse, token persistence testing), and CVE-2026-44513 (custom_pipeline exploitation in sandboxed ML environments) are all operationally valuable and should be prioritized on the next purple team cycle.
Factor | Impact on Score | Notes |
|---|---|---|
Multiple corroborating vendor sources for Shai-Hulud | Positive | Unit 42, Wiz Research, OX Security, Aikido Security all independently document the worm and its variants. |
NVD-confirmed CVE with GHSA advisory for CVE-2026-44513 | Positive | Government-authoritative source confirms CVE details, affected versions, and fix. |
eSentire TRU primary research for Tycoon2FA | Positive | Detailed technical analysis from a primary threat response team with direct campaign observation. |
SC World and Escudo Digital corroboration for Tycoon2FA | Positive | Multiple secondary sources confirm technique is active in the wild. |
No explicit MITRE ATT&CK technique IDs in any source | Negative | Reduces confidence in technique attribution; emulation chapter blank. |
Incomplete sector and region specificity | Negative | No source explicitly scopes affected sectors or geographies; assessed from target profile. |
Limited confirmed in-the-wild exploitation detail for CVE-2026-44513 | Negative | No confirmed exploitation case documented; patch available reduces urgency slightly. |
IOC set is partially confirmed but unenriched | Negative | C2 domain verdict pending; no threat intelligence platform enrichment retrieved in window. |
Mini Shai-Hulud first observed date not confirmed in sources | Negative | Timeline for Aikido Security finding is imprecise within the current window. |
Single T2 primary vehicle for SHub Reaper (prior report) | Not applicable to this report | SHub Reaper is handled in the prior daily brief; this report's Shai-Hulud coverage has multi-source T1 backing. |