Cache Poison Hulud
May 14, 2026. A threat cluster publishes hundreds of look-alike packages and tampers with restore keys in public workflows. You prove cross-ecosystem reach from CI artefacts.
Briefing
A PR introduces typo packages in Python and Node. The workflow restores a shared cache on a forked build, then a runner secret appears in outbound telemetry. Everything here is static evidence: manifests, workflow YAML, cache logs, and containment receipts.
Your role
Supply-chain analyst mapping registry spam to CI cache misuse.
Objective
Trace the supply-chain chain from typosquat dependency to CI cache restore to leaked runner secrets, then verify cache purge and rotation.
Terminal environment
- user
- responder
- host
- soc-pipeline-05
- cwd
- /home/supply/worm-response
- steps
- 9
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.