Add: Shai-Hulud/Carnage APT IWD — breakingcircuits.com 2026-05-13

[breakingcircuits1337]

Add: Shai-Hulud / Carnage APT — Incident Worm Disclosure (breakingcircuits.com, 2026-05-13)

Independent operational analysis published while the threat was active.
Includes artifacts not present in existing indexed entries for this campaign.

Path

Intel Reports/breakingcircuits_com/2026_05_shai_hulud_iwd/
├── README.md
├── content.txt
├── iocs.txt
├── timeline.txt
└── yara/
    └── teampcp_shai_hulud.yar

Artifacts

File	Content
content.txt	Narrative analysis — propagation, persistence, deadman switch, detection
iocs.txt	Machine-parseable IOCs: files, domains, IPs, strings, git commits, PBKDF2 salt, Session recipient ID, branch patterns, CVEs, YARA IDs, MITRE ATT&CK
timeline.txt	Chronological reconstruction — campaign history (Sep 2025 → May 2026) + disclosure timeline
yara/teampcp_shai_hulud.yar	16 YARA rules — all dropper variants, persistence, exfil, Sigstore forgery

Delta vs existing Shai-Hulud entries

• PBKDF2-SHA256 campaign salt (svksjrhjkcejg) and Session recipient ID as cryptographic IOCs
• Dependabot-masquerade branch name patterns (dependabot/github_actions/format/sietch etc.)
• Claude Code SessionStart hook as distinct persistence vector
• 63-fork commit-level network forensics
• Deadman switch handler payload with operational context
• Full MITRE ATT&CK mapping (12 techniques)
• Evidence provenance documented

Metadata

• Source: https://github.com/breakingcircuits1337/Shai-Hulud-Carnage-APT-Report
• Date: 2026-05-13
• Researcher: breakingcircuit / Breaking Circuits LLC
• Threat actor: TeamPCP / Carnage APT
• CVE: CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx
• TLP: WHITE