The following interview, which we publish in full, was conducted in May 2026 by me, fastfire.

“BreachForums” (often referred to as “Breached”) is an English-language cybercriminal forum. It functioned as a clear-net marketplace and platform for threat actors to trade stolen databases, tools, access credentials, and other illicit services.

A few days ago, the forum owner, diencracked, published a post announcing a supply chain competition, in which the goal is to use the Shai Hulud malware to compromise organizations. In the post, diencracked promises a $1,000 prize to the person who conducts the largest attack.

What if Shai Hulud malware?

The Shai Hulud malware is a sophisticated, self-propagating JavaScript-based worm that targets the npm (Node Package Manager) ecosystem. Named after the iconic sandworms from Dune, it specializes in supply chain attacks by automating the compromise of developer environments and repositories.

Core Functionality and Attack Chain

The malware typically spreads by injecting malicious code into the postinstall or preinstall scripts of legitimate npm packages.

Credential Harvesting: Once a developer installs a compromised package, the malware scans the local environment for sensitive secrets, including GitHub Personal Access Tokens (PATs), npm tokens, SSH keys, and cloud provider keys (AWS, GCP, Azure).
Data Exfiltration: Stolen data is often encoded and uploaded to newly created public GitHub repositories, frequently using descriptions like “Sha1-Hulud: The Second Coming” to organize the stolen credentials.
Worm Propagation: If the malware discovers valid npm publishing tokens, it automatically infects and republishes other packages managed by the compromised developer, creating an exponential cycle of infection across the ecosystem.
Persistence: It may establish persistence by pushing malicious GitHub Actions workflows (e.g., shai-hulud-workflow.yml) to accessible repositories.

Evolution and Recent Variants

Since its first appearance in late 2025, the malware has evolved through several iterations:

Shai-Hulud 1.0 (Sept 2025): Initial wave affecting approximately 180 packages, including libraries like @ctrl/tinycolor.
Shai-Hulud 2.0 (Nov/Dec 2025): A significantly more automated version that compromised over 30,000 GitHub repositories and hundreds of packages, including those from Zapier, ENS Domains, and Postman.
Shai-Hulud 3.0 (Early 2026): Introduced technical improvements for resilience and evasion, such as enhanced obfuscation and broader compatibility across different JavaScript runtimes.
“The Golden Path” Variant: A more recent variant seen testing cross-platform publishing features and updated file nomenclature to improve its “smash-and-grab” efficiency.

Origin & Identity of diencracked

Q (fastfire): When did you first become active in the cybercrime community, and what led you to establish breached.st as the platform it is today? How do you position yourself relative to the other competing BreachForums iterations – the original (run by Indra and N/A) and HasanBroker’s “NotBreachForums”?

A (diencracked): I have been active in the community for a while now, and I found BreachForums at a starting phase where HasanBroker, the leader, was looking for a trusted partner to work with. We became partners and are now good friends. I created the site alongside him and manage everything development related. In the past, we breached Indra’s and N/A’s fake BreachForums, and we are running a bettered version of the site, that does not have the same issues that the myBB version does. We see ourselves and the forum as valuable and irreplacable parts of the community, and we will continue bettering the forum and making alliances with other groups.

Q (fastfire): Your forum handle “diencracked” – does it have a specific meaning or origin story? Were you active under a different alias before establishing this identity on breached.st?

A (diencracked): My handle “diencracked” is more of a random alias I chose. Originally, it was meant to be “die (a)n(d) cracked” but it’s been commonly shortened as “dien” too. I was active on different aliases in the past, but for operational security reasons I cannot share them here.

Relationship with TeamPCP

Q (fastfire): Your post explicitly brands the competition as “BreachForums + TeamPCP.” What is the nature of your relationship with TeamPCP? Are you a member of TeamPCP, or is this a business partnership between two separate entities?

A (diencracked): Yes, I am currently working alongside TeamPCP, and BreachForums and TeamPCP are partners.

Q (fastfire): TeamPCP has also announced a formal partnership with the Vect ransomware group (reference note: during the interview, Dien Cracked stated that he directly manages Vect’s infrastructure), offering BreachForums members affiliate access with 80-88% profit shares. Were you involved in brokering this tripartite alliance (breached.st + TeamPCP + Vect), and do you or your forum receive a cut from Vect’s ransomware operations?

A (diencracked): As BreachForums, yes, we were involved in the alliance and we received cuts from the operations. However, as stated before, TeamPCP has never used Vect encryption tools and we own CipherForce, our own private locker, which dozens of victims have recovered files using, our partnership with them has been for the negotiation/pentest team only. If you are encrypted by TeamPCP, any issues with Vect will not affect the situation.

Relationship with LAPSUS$ group

Q (fastfire): In the post https[:]//breached[.]st/threads/lapsus-x-hasanbroker.1175/, user LAPSUS$, presumably a member of the group of the same name, stated their shared goal of deleting user Indra and his forum. What is the current status of this operation?

A (diencracked): Lapsus$ is a trusted partner of Breachforums and TeamPCP, and the current status of the operation is that it was a success. We destroyed breachforums.as, but for now, we are going into the defensive and are focused on improving and growing our own community.

Origin & Development of Shai Hulud

Q (fastfire): Who originally developed Shai Hulud? Was it built by TeamPCP from scratch, or was it derived from existing tooling – for example, from the actor known as “s1ngularity” who has been linked to the initial September 2025 supply chain wave?

A (diencracked): The current Shai Hulud used in our latest attacks was developed by TeamPCP from scratch, I don’t have anything to say regarding the history of it.

Q (fastfire): The worm uses an elaborate Dune-themed naming convention for dead-drop commit branches – atreides, fedaykin, fremen, harkonnen, melange, sardaukar, and many more. Who designed this taxonomy, and is there an operational logic behind the branch names (e.g., do they map to specific campaign phases or target categories)?

A (diencracked): Yes, it is a reference to Dune, it’s common place to find these little “easter eggs” in the attacks. Regarding the operational logic behind them, we’ll leave that as a mystery.

The Supply Chain Competition

Q (fastfire): Your post states you are personally offering $1,000 USD in Monero to the winner. By open-sourcing Shai Hulud and incentivizing attacks, you’ve effectively “gamified” supply chain compromises. Was this level of impact expected, and has anyone already claimed the prize?

A (diencracked): Yes, I am offering $1000 as a prize, but if they manage to hit a good supply chain with the worm and obtain valuable credentials, we will offer them a fair price along with the $1000 added. As stated, it is more of an additional prize to the winner. No one has claimed the prize yet, but there are some people who are actively participating in the competition.

Q (fastfire): Your rules state participants must use Shai Hulud specifically. Have you seen participants modify or enhance the worm beyond what you released (e.g., the “Shai-Hulud 2.0” variant, or the expansion from npm to PyPI and Maven)? Do modifications disqualify a submission, or do you encourage evolution of the tool?

A (diencracked): Yeah, I did say they must use Shai Hulud, but any modifications within reason are allowed. We understand if you want to add another module to it or change some of the structure. Modifications are allowed, and yes, we encourage the evolution.

Future Targets & Strategic Direction

Q (fastfire): I will try to summarize the attack campaigns involving the use of the Shai Hulud malware.
Wave 1 (September 2025): The initial campaign focused on the JavaScript ecosystem, hijacking popular libraries such as @ctrl/tinycolor. It used trojanized bundle.js files and postinstall scripts to harvest GitHub, AWS, and npm credentials.
Wave 2: “The Second Coming” (November – December 2025): This wave marked a significant escalation, impacting over 25,000 repositories and hundreds of npm packages, including core libraries for Zapier and the Ethereum Name Service (ENS). It introduced the use of the Bun JavaScript runtime to bypass security scanners that specifically monitor Node.js environments.
Wave 3 (December 2025 – January 2026): Researchers identified a third variant (Shai Hulud 3.0) focused on improved stealth, modular code, and cross-platform compatibility, including Windows environments.
“Mini Shai Hulud” & Operation Dune (April – May 2026): Recent activity involves more targeted attacks, such as the compromise of SAP npm packages and the Checkmarx Jenkins AST plugin. These “mini” variants often use P2P networks for exfiltration and IDE hooks for persistence.

Is the malware related to the competition you posted on the forum the one used during the second wave? What package ecosystems or infrastructure are you targeting next – container registries, Go modules, Rust crates, or something else entirely?

A (diencracked): Yes, similar to the second wave, the malware comes with the Bun runtime as its execution environment, and it’s an improvement from the past iterations. Regarding attacking other modules and registries, you’ll just have to wait and see what happens 🙂

Q (fastfire): The stolen secrets and compromised CI/CD credentials represent enormous downstream access. What is the ultimate monetization goal – selling access on your own forum, feeding it into Vect’s ransomware operations, or something else?

A (diencracked): The ultimate goal is to continue the supply chain rape as much as possible. Until the whole OSS mindset around CI/CD pipelines change, these attacks will continue to happen, and we will continue to profit from them.

Law Enforcement & Operational Security

Q (fastfire): CISA has issued advisories, Microsoft published dedicated detection guidance, and Unit 42, Wiz, Snyk, JFrog, and others are actively tracking TeamPCP. Every previous BreachForums owner – Pompompurin (arrested 2023), IntelBroker/Kai West (arrested February 2025) – has eventually been apprehended. The original BreachForums staff member “N/A” was doxxed after an alleged exit scam. What makes you confident you won’t share their fate, and is there a succession plan for breached.st if you are compromised?

A (diencracked): Every previous BreachForums owners admittedly made a number of critical mistakes that led to their arrests, and I am well versed in my operational security and know how to learn from the mistakes of the others. I am confident in the fact that I won’t get arrested based on various factors, however if I am arrested, the forum’s legacy will continue to live on and it will be managed by the other trusted administrators on the forum.

Evolution of attacks and use of AI

Q (fastfire): The Shai Hulud worm demonstrates a high degree of automation – self-propagation, credential harvesting, and autonomous publishing of malicious packages across multiple ecosystems. To what extent did you or TeamPCP leverage AI (large language models, code generation tools, or AI-assisted vulnerability discovery) in the development of Shai Hulud or in scaling the supply chain competition?

A (diencracked): AI was definitely used to a resonable extent in the creation of these tools, however, one has to understand the fundamentals of software development and obtain a reasonable skillset to be able to conduct attacks like these.

Q (fastfire): Do you see AI as a force multiplier that will make supply chain attacks exponentially harder to defend against in the near future – for example, AI agents that can autonomously discover vulnerable CI/CD pipelines, generate context-aware malicious code, or even interact with package registry maintainers to gain publishing rights? Is this a direction TeamPCP or the breached.st community is actively exploring?

A (diencracked): Yes, of course AI will be and has been a force multiplier, not just for these types of attacks but for the whole cybersecurity space. Bugs are getting discovered faster than ever before thanks to AI and it is rapidly changing the space of cybersecurity and development as we know it. Of course, we are adapting the best we can and yes, we are exploring new techniques and exploits along with AI to help during the exploration.

Evolution of BreachForums

Q (fastfire): BreachForums has traditionally been known as a marketplace for data breaches and leaks. With the supply chain competition and the Vect ransomware partnership, you’re clearly expanding the forum’s scope into offensive tooling distribution and ransomware-as-a-service. What new sections or services are you planning to add to breached.st – for example, dedicated sections for supply chain tooling, exploit marketplaces, initial access brokering, or AI-assisted attack services?

A (diencracked): We may add dedicated sections for tooling, but currently we have a multisignature XMR escrow that has been built, and is going to be released soon, I’m just hanging on the release to run my thorough security checks and do QA checks to ensure that user experience and security will be good. We are always open to any suggestions from the community though, you can always let us know and we’ll do our best to listen to what you have to say.

Relationships with the domain provider

Q (fastfire): Have you ever received requests from the registrar (Istanco) that manages the breached.st domain to delete any content that might be illegal? How did you handle them?

A (diencracked): If we do get any requests of abuse from the registrar of the domain (regardless of which) we handle it accordingly. In the past, we have received multiple abuse reports, and we mitigated this by obtaining new domain names, this switching happened for a while (breachforums.cz, breachforums.in, breachforums.me) until I changed some on site configurations to make it less detectable and harder to get the domain taken down. If we do get taken down, we always have other mirrors which are prepared to go live at any time (breached.su for example).

Relationships with other forums

Q (fastfire): What do you think about other forums (ReHub, T1erOne) that promote ransomware activity? Especially T1erOne, which has quickly built a reputation in this space (groups like The Gentlemen, Qilin, Gunra, hyflock, and ShadowByt3$ are advertising their activities on that forum)?

A (diencracked): We are observant of other forums such as ReHub and T1erOne that promote ransomware activity, as we of course also allow the same. This is a beneficial thing for both the forum and for the ransomware groups themselves. We are welcoming any ransomware groups, new or old to come join us on the forum, talk to one of the administrators and we’ll get you sorted out with a partnership in no time. The ransomware groups that you mentioned have built reputations nevertheless, and will bring more people to the forum they are promoting themselves on.

Choosing the attack target

Q (fastfire): Final questions: From your perspective, considering the potential targets of an attack using Shai Hulud, what most influences the choice of target to attack?
1) Ease of obtaining target information using OSINT techniques.
2) Ease of gaining initial access (e.g., credentials stolen using infostealer malware).
3) Ease of compromising vulnerable services (e.g., because they are prone to vulnerabilities for which public exploits are available).
4) Target revenue/profit and therefore a greater chance of achieving significant financial returns.

A (diencracked): There is not only one point that influences the choice of target to attack. A good operator will take all of these points and list in detail how much information they can extract from each method, opting for the easiest path of entry to find “low hanging fruit”. At the start, TeamPCP mass exploited react2shell vulnerabilities which could give access to repositories and github tokens from which supply chains could start. This is just one example of the various methods you could use to conduct a supply chain attack, but the point is a smart attacker will always seek the path of least resistance.