Yesterday, TeamPCP, a hacker team focusing on supply chain attacks, released the worm Shai-Hulud (named after the sandworm in the science fiction novel Dune) for use in the NPM ecosystem as open source. Downstream hackers only need to modify some of the options and the C2 command control server as needed to use it, such as infecting more searched cloud development environments.
The hacker team also clearly stated in their introduction that this worm was written through artificial intelligence. Regardless of the quality of the code, this worm has been successful in several previous attacks. Therefore, disclosing the worm source code may cause the virus to spread and be directly reused by more downstream hackers.
Analysts from the security company OX said that it is incomprehensible that TeamPCP would open source the worm code that it developed and tested in actual combat. However, judging from the TeamPCP team's approach, the team seems to focus more on showing off its skills. Of course, it is also possible that more hackers can use this worm to confuse the public and make it more difficult for security companies to track TeamPCP.
Now Microsoft has directly deleted the worm repository from GitHub and banned the account of the publisher @PedroTortoriello. In addition to the main repository being deleted, the related forks have also been deleted, which means that at least the Shai-Hulud source code cannot be found on GitHub.
Publicly releasing the source code of such a worm is a violation of the GitHub usage agreement, and it is understandable that the warehouse will be deleted and the account will be banned by Microsoft. However, the relevant source code has been made public on the Internet, and downstream hackers can continue to obtain the source code through other methods. Therefore, as long as TeamPCP is willing, there is no difficulty in continuing to spread the source code.