Over 1,800 developers were affected by the Mini Shai-Hulud supply chain attack that hit the PyPi, NPM, and PHP ecosystems over the past two days.
Attributed to the TeamPCP hacking group, the campaign was first spotted on April 29, after malicious versions of four SAP NPM packages were caught delivering information-stealing malware and attempting to propagate to other packages.
The malware would collect credentials, keys, tokens, and other secrets from the infected machines and publish the data to GitHub repositories containing the hardcoded description “A Mini Shai-Hulud has Appeared”.
The same description has been used in a fresh round of infections linked to the compromise of the Lightning PyPi package and the intercom-client NPM package, which have a combined monthly download count of nearly 10 million.
According to Ox Security, over 1,800 repositories containing stolen developer credentials have been created as part of the Mini Shai-Hulud attacks. The campaign appears to be a continuation of the Shai-Hulud supply chain attacks from late 2025.
As part of the supply chain attack, the Lightning Python package versions 2.6.2 and 2.6.3 and the intercom-client NPM package versions 7.0.4 and 7.0.5 were injected with the information stealer.
Additionally, the supply chain attack expanded to Packagist, through intercom-php version 5.0.2. A popular PHP package, intercom-php had over 20 million lifetime downloads.
The Intercom compromise was a direct result of the Lightning supply chain attack. A local package installation used the infected Lightning PyPi package as a dependency, Socket reports.
In addition to the malicious functions observed in the SAP compromise, the Lightning and Intercom payload added a dedicated infrastructure for data exfiltration, the zero[.]masscan[.]cloud domain, cybersecurity firm Wiz notes.
The code also implements a dynamic fallback mechanism that searches GitHub for commits containing the ‘beautifulcastle’ and ‘EveryBoiWeBuildIsAWormyBoi’ strings to retrieve embedded command-and-control (C&C) commands, NetSkope says.
Additionally, Wiz has observed the intercom-client payload actively scanning for Kubernetes environments and HashiCorp Vault secrets.
“It queries Kubernetes service endpoints and Vault configurations, using extensive regex-based matching to extract credentials such as AWS keys, GitHub and npm tokens, database connection strings, private keys, and API secrets (e.g., Stripe, Slack, Twilio),” Wiz says.
According to Aikido, the information stealer also targets VPN credentials, cryptocurrency wallet data, and Discord and Slack session data.
Related: AI Fuels ‘Industrial’ Cybercrime as Time-to-Exploit Shrinks to Hours
Related: Critical Gemini CLI Flaw Enabled Host Code Execution, Supply Chain Attacks
Related: Checkmarx Confirms Data Stolen in Supply Chain Attack
Related: Critical GitHub Vulnerability Exposed Millions of Repositories
