The TeamPCP Mini Shai-Hulud worm compromised 323 npm packages across 639 malicious versions, targeting widely used JavaScript data visualization libraries with millions of weekly downloads. The worm steals credentials from cloud platforms, CI/CD pipelines, and payment systems, and forges SLSA provenance attestations — meaning infected packages passed supply chain verification controls. Full worm source code has been published on BreachForums, enabling copycat campaigns.