Full Report
Mini Shai-Hulud caught spreading credential-stealing malware
Analysis Summary
# Incident Report: Mini Shai-Hulud Supply Chain Attack
## Executive Summary
In late April 2026, a cybercrime group known as TeamPCP launched a sophisticated supply-chain attack targeting official developer tools for SAP, Intercom, and the Lightning AI framework. The attackers injected "Mini Shai-Hulud" malware into high-traffic npm and PyPI packages to automate the theft of cloud credentials and self-propagate through GitHub repositories. The incident highlights a significant risk to CI/CD pipelines, with compromised packages collectively seeing nearly one million weekly downloads.
## Incident Details
- **Discovery Date:** April 30, 2026
- **Incident Date:** April 29 – April 30, 2026
- **Affected Organizations:** SAP, Intercom, Lightning AI (PyPI)
- **Sector:** Software Development / Enterprise Software / AI
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 29, 2026 (09:55 - 12:14 UTC)
- **Vector:** Targeted compromise of maintainer accounts or CI/CD pipelines belonging to SAP, allowing the publication of malicious versions of official npm packages.
- **Details:** Poisoned versions included `[email protected]` and `@cap-js` suite packages.
### Lateral Movement
- The malware contains "worm-style" propagation logic. Once a developer or CI/CD runner installs a poisoned package, the malware attempts to infect other repositories and package distributions accessible via the compromised environment's credentials.
### Data Exfiltration/Impact
- **Data Stolen:** GitHub tokens, npm credentials, cloud secrets (AWS, Azure, GCP), Kubernetes tokens, and GitHub Actions secrets.
- **Method:** Stolen data is encrypted and exfiltrated by creating new public GitHub repositories under the victim’s own account and posting the encrypted payloads there.
### Detection & Response
- **Detection:** Identified by security firms Wiz and Socket on April 30, 2026, through behavioral analysis of npm and PyPI registry changes.
- **Response:** SAP issued security note 3747787; malicious package versions were flagged/removed from registries by the respective maintainers and security teams.
## Attack Methodology
- **Initial Access:** Supply chain compromise via poisoned package updates (npm/PyPI).
- **Persistence:** Malicious `preinstall` scripts in `package.json` ensure execution upon installation.
- **Privilege Escalation:** Extraction of secrets from the memory of active CI/CD runners.
- **Defense Evasion:** Obfuscated JavaScript payloads; exfiltration via legitimate platforms (GitHub) to mimic normal traffic.
- **Credential Access:** Automated harvesting of environment variables and configuration files for cloud and VCS tokens.
- **Discovery:** Scanning for localized `.git`, `.aws`, and CI/CD configuration files.
- **Lateral Movement:** Using stolen GitHub/npm tokens to push malicious code to other repositories managed by the victim.
- **Collection:** Gathering secrets from disk and system memory.
- **Exfiltration:** Encrypted payloads pushed to attacker-created repositories on the victim's GitHub profile.
- **Impact:** Compromise of enterprise cloud infrastructure and further downstream supply chain contamination.
## Impact Assessment
- **Financial:** High potential loss due to unauthorized cloud resource access; costs associated with rotating enterprise-wide credentials.
- **Data Breach:** Exposure of highly sensitive "keys to the kingdom" (tokens and secrets) rather than static data records.
- **Operational:** Disruption to development workflows; required auditing of all CI/CD pipelines.
- **Reputational:** Impact to SAP, Intercom, and Lightning as trusted software providers.
## Indicators of Compromise
- **File/Package Indicators:**
- `[email protected]` (npm)
- `@cap-js/[email protected]` (npm)
- `[email protected]` & `7.0.5` (npm)
- `[email protected]` & `2.6.3` (PyPI)
- `router_runtime.js` (Malicious payload script)
- **Behavioral Indicators:**
- Unexplained creation of new public GitHub repositories.
- `npm install` or `pip install` commands triggering outbound connections to unexpected GitHub endpoints.
- Presence of encrypted blobs in repository commits.
## Response Actions
- **Containment:** Removal of malicious versions from npm and PyPI registries.
- **Eradication:** Rotation of all potentially exposed secrets (GitHub, AWS, Azure, GCP, npm).
- **Recovery:** Development teams instructed to revert to known-good versions (e.g., `[email protected]` or earlier).
## Lessons Learned
- **Automated Propagation:** Multi-stage payloads can now "worm" through GitHub tokens, making one-time compromises exponentially more dangerous.
- **Preinstall Risk:** The use of `preinstall` scripts in npm remains a primary high-risk vector for automated malware execution.
- **CI/CD Volatility:** Attackers are successfully targeting the memory of runner environments, moving beyond simple environment variable scraping.
## Recommendations
- **Pin Dependencies:** Use lockfiles (`package-lock.json`) and avoid wildcards in dependency versions.
- **Disable Scripts:** Run npm installs with the `--ignore-scripts` flag where possible, especially in automated environments.
- **Secret Management:** Utilize short-lived, identity-based credentials (like OIDC for GitHub Actions) instead of long-lived static tokens.
- **Monitoring:** Implement monitoring for the creation of new repositories within organization GitHub accounts.