CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Cross-Platform Supply Chain Attack Expands with Mini Shai-Hulud Malware via PyPI and npm Ecosystems

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

A coordinated supply chain attack involving the "Mini Shai-Hulud" credential-stealing malware has expanded beyond npm to compromise the PyPI ecosystem, targeting the popular Python package Lightning with versions 2.6.2 and 2.6.3. The attack introduces a hidden _runtime directory containing a downloader and obfuscated JavaScript payload that executes automatically upon module import, using the Bun runtime to run an 11 MB malicious payload (router_runtime.js) for credential harvesting. The malware validates harvested GitHub tokens via api.github[.]com/user and injects a worm-like payload across up to 50 branches in accessible repositories, with commits authored to impersonate Anthropic's Claude Code. It also implements an npm-based propagation vector using postinstall hooks to spread to downstream users, mirroring techniques used in prior TeamPCP operations. Additional compromises include version 7.0.4 of intercom-client on PyPI, further aligning with the Mini Shai-Hulud campaign's modus operandi. The maintainers of Lightning acknowledged the incident while investigating a suspected compromise of their GitHub account. The attack is assessed as an extension of the Mini Shai-Hulud campaign, with TeamPCP identified as the likely threat actor based on shared technical details and recent operational activity, including the launch of an onion website following suspension from X. The compromised SAP npm packages ([email protected], @cap-js/[email protected], @cap-js/[email protected], and @cap-js/[email protected]) were published on April 29, 2026, between 09:55–12:14 UTC, each including malicious preinstall hooks that downloaded the Bun runtime from GitHub Releases and executed a heavily obfuscated execution.js payload. The payload harvested and encrypted developer and cloud secrets, exfiltrating them to attacker-controlled GitHub repositories labeled "A Mini Shai-Hulud has Appeared", while self-propagating via GitHub Actions workflow injection and abusing AI tool configurations (VS Code and Claude Code) for persistence. Additional exfiltration techniques included a Python-based memory scanner targeting CI runner secrets and a dead-drop mechanism leveraging GitHub commit searches for base64-encoded GitHub tokens.

Timeline

  1. 30.04.2026 19:31 1 articles · 15h ago

    PyPI Ecosystem Compromised via Lightning Malware Extending Mini Shai-Hulud Campaign

    Two malicious versions of the Python package Lightning (2.6.2 and 2.6.3) were compromised and published to PyPI on April 30, 2026, as part of an extension of the Mini Shai-Hulud supply chain attack. The malicious package included a hidden _runtime directory containing a downloader and obfuscated JavaScript payload (router_runtime.js) that executed automatically when the lightning module was imported, requiring no additional user action after installation and import. The attack chain used a Python script (start.py) to download and execute the Bun JavaScript runtime, which then ran an 11 MB obfuscated malicious payload to harvest developer credentials across GitHub, npm, AWS, Azure, GCP, and Kubernetes environments. Harvested GitHub tokens were validated against api.github[.]com/user and used to inject a worm-like payload across up to 50 branches in accessible repositories, with commits authored to impersonate Anthropic's Claude Code. The malware implemented an npm-based propagation vector by modifying local npm packages with a postinstall hook in package.json to invoke the malicious payload, increase the patch version, repack .tgz tarballs, and enable downstream distribution via npm if published by developers. The maintainers of Lightning acknowledged the incident and stated they were actively investigating, with indications pointing to a compromised GitHub account as the initial access vector. The PyPI repository administrators quarantined the compromised versions. This development was assessed as an extension of the Mini Shai-Hulud campaign, with TeamPCP identified as the likely threat actor based on shared operational tactics, including GitHub-based exfiltration, credential harvesting, and similarities to prior attacks (Checkmarx, Bitwarden, Telnyx, LiteLLM, Aqua Security Trivy). Additionally, version 7.0.4 of intercom-client was compromised as part of the same campaign, following a similar modus operandi involving a preinstall hook to trigger credential-stealing malware.

    Show sources
    Open in new tab
  2. 29.04.2026 19:26 3 articles · 1d ago

    SAP npm Package Supply Chain Compromise via Mini Shai-Hulud Malware Disclosed

    The compromised npm packages ([email protected], @cap-js/[email protected], @cap-js/[email protected], and @cap-js/[email protected]) were published on April 29, 2026, between 09:55–12:14 UTC, each including malicious preinstall hooks that downloaded the Bun runtime from GitHub Releases and executed a heavily obfuscated execution.js payload. The payload harvested and encrypted developer and cloud secrets, exfiltrating them to attacker-controlled GitHub repositories labeled "A Mini Shai-Hulud has Appeared", while self-propagating via GitHub Actions workflow injection and abusing AI tool configurations for persistence. Additional exfiltration techniques included a Python-based memory scanner targeting CI runner secrets by reading /proc/<pid>/maps and /proc/<pid>/mem for the Runner.Worker process, and a dead-drop mechanism leveraging GitHub commit searches for base64-encoded GitHub tokens (OhNoWhatsGoingOnWithGitHub:<base64>). Researchers linked the attack with medium confidence to the TeamPCP threat actors, citing structural similarities with prior supply chain attacks (Trivy, Checkmarx, Bitwarden), and noted a possible initial access vector via an exposed NPM token from a misconfigured CircleCI job. This article provides new context: The Mini Shai-Hulud campaign has expanded to the PyPI ecosystem, compromising the Python package Lightning (versions 2.6.2 and 2.6.3) to deploy credential-stealing malware. The malicious package included a hidden _runtime directory with a downloader and obfuscated JavaScript payload that executed automatically when the lightning module was imported, requiring no additional user action after installation and import. The attack chain used start.py to download and execute the Bun runtime, running an 11 MB obfuscated payload (router_runtime.js) to harvest credentials. Harvested GitHub tokens were validated against api.github[.]com/user and used to inject a worm-like payload to up to 50 branches across repositories the token could write to, with commits authored to impersonate Anthropic's Claude Code. The malware also implemented an npm-based propagation vector that modified local npm packages with a postinstall hook in package.json to invoke the malicious payload, increased the patch version, repacked .tgz tarballs, and enabled downstream distribution via npm. The maintainers of Lightning acknowledged the incident while investigating a suspected compromise of their GitHub account. Additionally, version 7.0.4 of intercom-client was compromised as part of the Mini Shai-Hulud campaign, following a similar modus operandi involving a preinstall hook to trigger credential-stealing malware. The supply chain attack is assessed as an extension of the Mini Shai-Hulud campaign, with TeamPCP identified as the likely threat actor based on shared technical details and recent operational activity, including the launch of an onion website following suspension from X.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines

Supply chain compromise in the Trivy vulnerability scanner triggered the CanisterWorm propagation across CI/CD pipelines, now expanding to additional open-source ecosystems and involving multiple advanced threat actors. The TeamPCP threat group continues to monetize stolen supply chain secrets through partnerships with extortion groups including Lapsus$ and the Vect ransomware operation, with Wiz (Google Cloud) and Cisco confirming collaboration and horizontal movement across cloud environments. A new npm supply chain malware campaign discovered on April 24, 2026, shows self-propagating worm-like behavior via @automagik/genie and pgserve packages, stealing credentials and spreading across developer ecosystems while using Internet Computer Protocol (ICP) canisters for command and control. The malware shares technical similarities with prior TeamPCP campaigns, including post-install scripts and canister-based infrastructure, potentially indicating ongoing evolution of the threat actor's tactics or a new campaign leveraging established infrastructure. The Axios NPM package compromise via malicious versions 0.27.5 and 0.28.0 delivered a multi-platform RAT through a malicious dependency impersonating crypto-js, with attribution disputes suggesting either TeamPCP involvement or North Korean actor UNC1069 (Google's Threat Intelligence Group). Cisco's internal development environment was breached using stolen Trivy-linked credentials via a malicious GitHub Action, resulting in the theft of over 300 repositories including proprietary AI product code and customer data from banks, BPOs, and US government agencies. Multiple AWS keys were abused across a subset of Cisco's cloud accounts, with multiple threat actors participating in the breach.

Open in new tab

TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks

TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, now confirmed to have leveraged the Trivy supply-chain attack as an access vector for the Checkmarx compromise. The group compromised PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) and Checkmarx KICS tooling to deliver credential-stealing malware, harvesting SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. Checkmarx has publicly confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository, with access facilitated by the Trivy compromise attributed to TeamPCP. The leaked data, published on both dark web and clearnet portals, did not contain customer information, and Checkmarx has blocked access to the affected repository pending forensic investigation. The campaign’s scope expanded from initial npm package compromises to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and CI/CD pipeline targeting, while destructive payloads in Iranian Kubernetes environments highlight TeamPCP’s geopolitical alignment.

Open in new tab

Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

The **UNC6426** threat actor has weaponized credentials stolen during the August 2025 **nx npm supply-chain attack** to execute a rapid cloud breach, escalating from a compromised GitHub token to **full AWS administrator access in under 72 hours**. By abusing GitHub-to-AWS OpenID Connect (OIDC) trust, the attacker deployed a new IAM role with `AdministratorAccess`, exfiltrated S3 bucket data, terminated production EC2/RDS instances, and **publicly exposed the victim’s private repositories** under the `/s1ngularity-repository-[randomcharacters]` naming scheme. This follows the broader *Shai-Hulud* and *SANDWORM_MODE* campaigns, which collectively compromised **over 400,000 secrets** via trojanized npm packages, GitHub Actions abuse, and AI-assisted credential harvesting (e.g., QUIETVAULT malware leveraging LLM tools). The attack chain began with the **Pwn Request** exploitation of a vulnerable `pull_request_target` workflow in nx, leading to trojanized package publication and theft of GitHub Personal Access Tokens (PATs). UNC6426 later used tools like **Nord Stream** to extract CI/CD secrets, highlighting the risks of **overprivileged OIDC roles** and **standing cloud permissions**. Researchers warn of escalating supply chain risks, including **self-propagating worms** (Shai-Hulud), **PackageGate vulnerabilities** bypassing npm defenses, and **AI-assisted prompt injection** targeting developer workflows. Mitigations include disabling postinstall scripts, enforcing least-privilege access, and rotating all credentials tied to npm, GitHub, and cloud providers.

Open in new tab