claude-code - TrustStrike Labs

threat

2026-04-23

'Shai-Hulud: The Third Coming' worm pivots from Checkmarx KICS compromise into Bitwarden CLI, stealing SSH keys, cloud secrets, and MCP configs for AI coding tools

TeamPCP's self-propagating supply-chain worm is back in its third iteration, branded 'Shai-Hulud: The Third Coming' in hard-coded strings across the malware. On April 22, Socket reported Checkmarx's official KICS Docker images and a KICS VS Code / Open VSX extension had been trojanized. Bitwarden's own clients repo runs a Checkmarx scan on every pull request via a pull_request_target workflow that holds id-token: write and fetches credentials from Azure Key Vault, so when the poisoned scanner executed it harvested GitHub OIDC and Azure tokens. At 17:57 ET the same day, attackers used those tokens to push a modified publish-cli.yml to the Bitwarden repo and publish a malicious @bitwarden/cli version 2026.4.0 to npm. The package remained live for 93 minutes until Bitwarden pulled it at 19:30 ET. The payload: a 10MB obfuscated credential harvester that grabs SSH keys, cloud provider credentials, npm publish tokens, GitHub tokens, and - new in this variant - MCP (Model Context Protocol) configuration files used by Claude Code, Cursor, and similar AI coding tools. It then self-propagates by republishing into every npm package the victim can modify and uploads encrypted stolen secrets to public GitHub repositories under Dune-themed names. The worm has a Russian-locale kill switch (exits if LC_ALL/LANG starts with 'ru').

teampcp shai-hulud bitwarden checkmarx kics supply-chain npm mcp claude-code worm self-propagating

Check: Immediately check every CI/CD runner, developer laptop, and container that pulled Checkmarx KICS Docker images, the KICS GitHub Action, or @bitwarden/cli between March 23 and April 23, and rotate every credential that was ever present on those machines.
Affected: Confirmed malicious artifacts per Socket: @bitwarden/cli 2026.4.0 on npm (live 21:57 to 23:30 UTC on April 22, a 93 minute window); compromised Checkmarx KICS Docker images and GitHub Actions (first compromised March 23, re-compromised April 22); two Checkmarx-published Visual Studio Code and Open VSX extensions. Any npm package subsequently republished by a victim whose npm token this worm captured is also potentially malicious.
Fix: Remove the listed versions from all developer environments, CI runners, and private mirrors. Rotate every credential the worm would have seen: GitHub PATs and OIDC tokens, npm publish tokens, cloud provider keys (AWS/GCP/Azure), SSH keys, Azure Key Vault secrets, container registry creds, and MCP config files for AI coding tools - assume every credential stored in ~/.config, ~/.ssh, or exported to CI env is burned. Audit bitwarden/clients commit history for changes to publish-cli.yml and similar pipeline files around April 22. Search public GitHub for repositories named after Dune terms (beautifulcastle-* pattern) to find whether your stolen data has been published. Tighten pull_request_target triggers on security scanners - they should not have id-token: write permission.

vulnerability

CVE-2026-30615 CVE-2026-30623 CVE-2026-33224 CVE-2026-22252 CVE-2026-22688 CVE-2025-49596 CVE-2025-54994 CVE-2025-54136

2026-04-21

Anthropic MCP STDIO design flaw exposes 200,000+ AI servers to RCE - 14 CVEs assigned, Anthropic calls it 'expected behavior' (backfill from April 15)

Backfill from April 15: OX Security disclosed an architectural flaw in the official Model Context Protocol SDKs (Python, TypeScript, Java, Rust) that lets attacker-controlled JSON config trigger arbitrary OS commands via the STDIO transport. Roughly 200,000 publicly reachable MCP servers and 150 million SDK downloads inherit the issue. OX has tied 14 CVEs to the same root cause across LiteLLM (patched), Bisheng (patched), Windsurf (zero-click RCE in Cursor-style IDEs, still reported), Flowise, LangFlow, GPT Researcher, Agent Zero, and DocsGPT. Anthropic declined to patch the protocol, calling the behavior 'expected.'

anthropic mcp stdio ai-supply-chain claude-code cursor windsurf langchain backfill ox-security

Check: Audit every MCP server installed in Claude Code, Cursor, and other AI dev tools, remove any whose origin you don't recognize, and treat MCP configs as executable code.
Affected: Any tool or service running an Anthropic-SDK MCP server with STDIO transport, especially when add/configure flow is exposed to user input or marketplaces. Confirmed-affected: LiteLLM, LangChain, LangFlow, Flowise, LettaAI, LangBot, DocsGPT, Bisheng, Windsurf, Cursor IDE workflows, GPT Researcher, plus any private MCP server built on the official SDK without input sanitization.
Fix: Patch downstream tools to fixed versions (LiteLLM, Bisheng, Cursor). Block public internet access to services that host MCP add/configure UIs. Treat all external MCP configuration input as untrusted; never let raw user input reach StdioServerParameters. Run MCP services in sandboxes with no production-secret access. Install MCP servers only from verified sources and pin to specific commits.