guardrails-ai PyPI package carried Shai-Hulud

guardrails-ai is the PyPI outlier in a campaign dominated by npm. JFrog listed guardrails-ai version 0.10.1 as part of the May 2026 Shai-Hulud wave, showing that TeamPCP's package-publisher focus was not limited to JavaScript.

The risk profile was still familiar. A Python package install can run in notebooks, CI jobs, build containers, and developer shells that hold cloud credentials, repository tokens, and package-registry secrets. Shai-Hulud's campaign logic treated those environments as credential sources first and application runtimes second.

This record keeps the PyPI package separate from the npm aggregate so Python dependency inventories have a precise indicator. The campaign page explains the shared actor, infrastructure, and propagation behavior; this page pins the package name, version, registry location, and May 11-12 exposure window.

For response, the useful question is whether any trusted environment installed guardrails-ai==0.10.1 during the window. A match should lead to credential rotation and review from a clean machine, especially for systems that also had package-publishing or CI authority.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Minimal campaign-linked record created to keep Shai-Hulud package evidence scoped by vendor, organization, maintainer account, or package distribution surface.

• Shai-Hulud: Here We Go Again - Worm by TeamPCP Hits NPM and PyPIresearch.jfrog.com