In a recent cybersecurity incident, more than 1,800 developers were impacted by a sophisticated supply chain attack named Mini Shai-Hulud. This breach targeted the PyPi, NPM, and PHP ecosystems within the last 48 hours, compromising various software packages and developer credentials.
Details of the Cyber Attack
Identified as the work of the hacking group TeamPCP, the attack was initially detected on April 29. The group strategically inserted malicious versions of four SAP NPM packages, designed to install information-stealing malware and spread to additional packages. These malicious versions exfiltrated sensitive developer credentials and other secrets from affected systems.
The collected data was then uploaded to GitHub repositories, each marked with the description “A Mini Shai-Hulud has Appeared.” This identifier was also used in newer infections involving the Lightning PyPi package and the intercom-client NPM package, which are popular among developers with millions of monthly downloads.
Impact on Software Ecosystems
According to cybersecurity firm Ox Security, the Mini Shai-Hulud attack led to the creation of over 1,800 repositories containing stolen credentials. This campaign is perceived as an extension of the Shai-Hulud attacks observed in late 2025. Affected software versions included Lightning Python 2.6.2 and 2.6.3, and intercom-client NPM 7.0.4 and 7.0.5, all of which were manipulated to include the information-stealing malware.
The attack also extended to the PHP ecosystem via the intercom-php package version 5.0.2 on Packagist, a widely used package with more than 20 million downloads. The compromise of Intercom was traced back to the Lightning package, used as a dependency in local installations, further spreading the attack.
Technical Analysis and Future Risks
Security experts at Wiz noted that the payloads in the Lightning and Intercom compromises included advanced functions for data extraction, utilizing the zero[.]masscan[.]cloud domain. Additionally, the malware featured a dynamic mechanism that searched GitHub for specific strings, such as ‘beautifulcastle’, to execute command-and-control (C&C) operations.
Moreover, the intercom-client payload was observed probing for Kubernetes environments and HashiCorp Vault secrets. It utilized regex-based techniques to identify and extract credentials like AWS keys, GitHub tokens, database connections, and API secrets. Aikido also reported that the malware targeted VPN credentials, cryptocurrency wallets, and session data from platforms like Discord and Slack.
As supply chain attacks become more sophisticated, it is crucial for developers and organizations to enhance their security measures and monitoring practices. Ensuring robust protection against such breaches will be vital to safeguarding sensitive information and maintaining trust in digital ecosystems.
