Mini Shai-Hulud: Coordinated Multi-Ecosystem Package Attack

TeamPCP’s Cross-Registry Credential-Stealing Campaign Against npm, PyPI, and PHP

Key Takeaways

• Between April 29 and May 1, 2026, the threat actor group TeamPCP executed simultaneous credential-stealing supply chain attacks across npm, PyPI, and PHP’s Packagist registry, compromising packages belonging to SAP, PyTorch Lightning, and Intercom within a 72-hour window.
• The attack deploys malicious preinstall scripts that bootstrap the Bun JavaScript runtime on the victim’s machine, then execute an 11.6 MB obfuscated payload that harvests developer tokens, CI/CD secrets, and cloud provider credentials before exfiltrating them to attacker-controlled repositories.
• Mini Shai-Hulud is the most recent operation in what researchers characterize as an escalating series of TeamPCP campaigns dating to September 2025, which have progressively targeted more impactful packages and extended from developer tooling into security scanning infrastructure and AI/ML frameworks.
• The malware deliberately avoids execution on systems with Russian-language locale settings, a behavior consistent with attribution to a threat actor operating under tacit or active state tolerance in Russian-speaking regions.
• Organizations that installed any of the affected package versions during the April 29–May 1 window should treat CI/CD pipeline credentials, cloud provider tokens, and developer secrets as compromised and rotate them immediately.

Background

Package registries have emerged as a high-consequence attack surface in software development, particularly given their role as a trusted distribution channel for widely deployed dependencies. Developers across every major programming language ecosystem rely on public registries — npm, PyPI, Packagist, RubyGems, crates.io, and others — as the primary mechanism for consuming third-party libraries. The trust model underlying these registries is largely credential-based: anyone who possesses a maintainer’s publishing credentials can push new versions of an established, widely trusted package. This model appears insufficient against professionalized threat actors who treat credential acquisition as a primary attack objective.

TeamPCP — also tracked under the aliases PCPcat, ShellForce, and DeadCatx3 [13] — emerged as a distinct supply chain threat actor in September 2025. Researchers documented the group’s initial large-scale operation, dubbed Shai-Hulud, beginning September 15, 2025, with the publication of rxnt-authentication v0.0.3 to npm as the first confirmed malicious package [1]. Shai-Hulud targeted 18 widely used npm packages representing hundreds of millions to billions of weekly combined downloads and introduced self-replicating behavior that allowed the worm to automatically spread through dependent repositories, marking a qualitative escalation beyond the opportunistic typosquatting and dependency confusion campaigns that had characterized most prior package registry abuse [2]. Shai-Hulud 2.0 followed in late November 2025, extending the campaign’s reach to preinstall execution — a technique that fires the attacker’s code the moment a package is installed rather than when it is first imported — and introducing attempted file deletion as a destructive secondary payload [3].

The group’s evolution through early 2026 demonstrated a deliberate strategic pivot toward higher-value targets. Rather than maintaining typosquatted packages or injecting malicious versions of obscure libraries, TeamPCP began pursuing direct compromise of legitimate, widely trusted projects. In February and March 2026, Arctic Wolf Research documented that TeamPCP had gained unauthorized access to the release pipelines of three prominent security tools: Trivy (the widely deployed container and infrastructure vulnerability scanner, with malicious binaries first published as version v0.69.4 on March 19, 2026), KICS (the Checkmarx Infrastructure-as-Code security scanner, compromised March 23 via stolen CI/CD secrets), and LiteLLM (the open-source LLM API gateway framework, compromised March 24 with malicious versions 1.82.7 and 1.82.8 published to PyPI) [4]. The security tool compromises were particularly significant because Trivy and KICS are integrated directly into CI/CD pipelines as guardrails — a scan tool executing attacker code during a security gate defeats the purpose of the gate entirely.

Security Analysis

The Mini Shai-Hulud Attack Pattern

The Mini Shai-Hulud campaign launched on April 29, 2026, with malicious package versions published to npm between 09:55 and 12:14 UTC. Wiz Research identified the initial compromises affecting four SAP packages: @cap-js/[email protected], @cap-js/[email protected], @cap-js/[email protected], and [email protected] [5]. The @cap-js packages are core components of SAP’s Cloud Application Programming Model framework, used extensively in enterprise cloud-native application development built on SAP BTP; mbt is SAP’s Cloud MTA Build Tool, used to build and package multi-target applications. Within hours, the campaign extended across registries: PyPI was hit with malicious versions of lightning (the PyTorch Lightning training framework, versions 2.6.2 and 2.6.3), and Packagist received a compromised version of intercom/[email protected]. On npm, [email protected] and 7.0.5 were also compromised [6].

The attack mechanism centers on a preinstall hook embedded in the malicious package versions. When a developer or CI/CD runner executes npm install or pip install against an affected package version, the preinstall hook fires before any application code is executed. The hook downloads and bootstraps the Bun JavaScript runtime onto the victim machine, then uses it to execute setup.mjs and bun_environment.js, two payload files totaling approximately 11.6 MB and subject to heavy obfuscation [7]. Aikido Security’s analysis found that the obfuscation evaded static analysis tooling available at the time of deployment [8]. The use of Bun as a runtime dropper is notable: it is a legitimate, signed, widely distributed binary with a clean reputation, making it an effective tool for bypassing endpoint detection rules that might flag execution of unusual interpreters or unsigned code.

Before executing its primary payload, the malware checks the victim system’s locale and environment language variables. If any value begins with the string ru, the malware terminates without exfiltrating data [5]. This avoidance of Russian-language environments is an indicator consistent with threat actor campaigns that operate under implicit tolerance from Russian-speaking jurisdictions — a pattern also seen in TeamPCP’s earlier Shai-Hulud operations. Researchers have not conclusively attributed Mini Shai-Hulud to a state-affiliated actor, and locale-based kill switches can also be used to mislead attribution; the indicator should be treated as one data point in a broader attribution analysis rather than confirmation of origin.

Credential Harvesting and Exfiltration

The payload’s primary function is systematic credential harvesting. Regex-based matching sweeps well-known credential storage locations for GitHub personal access tokens and organization tokens, npm publish tokens, AWS access keys and session tokens, Azure service principal credentials, Google Cloud Platform service account keys, and Kubernetes cluster configuration files [9]. The harvested credentials are exfiltrated to attacker-controlled GitHub repositories; forensic analysis across the full campaign found that over 1,800 repositories were created with the description “A Mini Shai-Hulud has Appeared” as a provenance marker for stolen credentials, with GitGuardian’s analysis identifying 23 attacker accounts and 971 repositories tied to the SAP-specific phase alone [14]. These repository counts correspond to at least 1,800 likely victim environments across the full campaign — a floor estimate based on attacker repository creation patterns rather than independent victim confirmation [10].

The significance of this credential set extends well beyond the immediate victim. A developer’s local machine or a CI/CD runner typically holds credentials for the entire delivery pipeline: the token that publishes packages is often the same one that can read private repositories, and the cloud provider credentials present in a CI environment usually have write access to production infrastructure. Credential theft from a single build agent can therefore cascade into unauthorized code commits, poisoned subsequent releases of the same package, lateral movement into cloud accounts, and persistent access maintained through newly created API keys before the initial intrusion is detected.

The targeting of SAP and PyTorch Lightning packages reflects a deliberate selection logic. SAP’s CAP framework is used across a large base of enterprise customers building cloud applications on SAP BTP, particularly in organizations with substantial investment in SAP’s enterprise software ecosystem. PyTorch Lightning is a training framework built on PyTorch that is prevalent in enterprise AI development environments — teams training, fine-tuning, or evaluating machine learning models routinely have this dependency present. Both package families represent environments where the developer or pipeline machines likely hold credentials with significant blast radius, either against enterprise cloud infrastructure or model storage systems.

Multi-Ecosystem Coordination and the Broader Attack Wave

The timing of Mini Shai-Hulud reflects a coordinated multi-registry deployment strategy. The 72-hour multi-registry deployment appears designed to maximize the probability that at least one attack vector would reach any given target organization’s dependency tree, while minimizing the window between deployment and community detection — a strategy that also creates blind spots for security teams monitoring only a single registry for anomalies, who may not observe the full scope of a cross-registry campaign.

A parallel campaign attributed to a separate actor, BufferZoneCorp, poisoned Ruby gems and Go modules in CI pipelines on May 1, 2026, using similar credential-targeting techniques [11]. While distinct from TeamPCP’s operation, the concurrent activity illustrates that multiple threat actors are independently exploiting package registries across all major language ecosystems — a convergence that suggests the attack surface is broadly known and valued across the attacker community, not merely in npm.

The April 22, 2026, compromise of @bitwarden/[email protected] preceded Mini Shai-Hulud by one week and shares behavioral characteristics with the Shai-Hulud campaign family, though security researchers have characterized it as a related but distinct incident rather than a named phase of Mini Shai-Hulud itself [12]. Together, these incidents establish a pattern: TeamPCP is operating at a tempo and scope that strains the incident response capacity of any single registry operator, SIEM team, or threat intelligence provider.

The AI/ML Supply Chain Attack Surface

The LiteLLM and PyTorch Lightning compromises highlight an emerging and underappreciated dimension of supply chain risk: the AI and ML development toolchain is now an active target. LiteLLM functions as a unified API gateway to dozens of model providers, meaning that a compromised LiteLLM installation can exfiltrate API keys for multiple AI services simultaneously. A compromised ML training dependency often has access to model weights, training datasets, cloud storage credentials, and experiment tracking infrastructure — a credential profile that may span the entire organization’s AI development practice, and that is rarely scoped as tightly as production application credentials.

This pattern suggests that threat actors have identified the AI development toolchain as a high-credential-density environment where a single successful package compromise can yield access to a broad set of valuable resources. For organizations that have invested heavily in AI infrastructure, the supply chain risk is not merely about application security but about protecting the confidentiality, integrity, and availability of the AI systems themselves.

Recommendations

Immediate Actions

Organizations that installed any of the following packages during or after April 29, 2026, should treat the associated system and its credentials as compromised and take remediation steps immediately:

Incident responders should audit CI/CD pipeline logs for installs of these specific versions, identify any machines or runners that processed them, and treat all secrets accessible from those environments as potentially exfiltrated. GitHub tokens, npm tokens, AWS access keys, Azure service principal credentials, GCP service account keys, and Kubernetes configuration files should be rotated immediately. Any recently published package versions from maintainer accounts that ran the affected pipelines should be reviewed for downstream tampering.

Short-Term Mitigations

Several technical controls can meaningfully limit exposure to preinstall-hook-based attacks. Organizations managing npm dependencies can disable preinstall and postinstall scripts globally by setting ignore-scripts=true in their npm configuration, though this will break packages with legitimate build steps and requires careful scoping. More targeted approaches include maintaining a locked software bill of materials (SBOM) that captures dependency hashes at known-good states, enabling lockfile verification in CI/CD pipelines to catch unexpected version changes, and restricting the network access available to install-time scripts using tools such as StepSecurity’s Harden-Runner, which was among the first systems to detect Mini Shai-Hulud through anomalous outbound connections initiated during npm install [7].

For PyPI and Packagist, equivalent lockfile and hash-verification practices apply. Python environments using pip can leverage pip install --require-hashes in combination with a pinned requirements.txt; Packagist-based projects should use composer.lock verification as a baseline. In all cases, CI/CD pipelines should be treated as credential-holding systems with production-equivalent secrets discipline: they should not hold long-lived tokens, credentials should be scoped to the minimum necessary permissions, and runtime access to secrets should be audited.

Strategic Considerations

The Mini Shai-Hulud campaign, considered alongside TeamPCP’s prior operations against Trivy, KICS, and LiteLLM, reflects a threat actor that has systematically mapped the software development and AI toolchain for high-leverage credential targets. The progression from opportunistic package injection to direct compromise of security scanning tools represents a maturation of capability and intent that warrants treating the package registry threat surface as a persistent adversarial environment rather than an occasional incident.

Organizations should evaluate whether their current software composition analysis tooling provides adequate visibility into install-time script behavior, not merely known-vulnerability databases. Traditional dependency scanners that check package versions against CVE databases do not detect malicious packages that have no assigned CVE — the compromised versions of SAP’s npm packages and PyTorch Lightning carried no vulnerability identifiers at the time of their publication. Supplementing SCA tooling with behavioral analysis of package installation activity, network egress monitoring during CI pipeline runs, and registry provenance verification provides a more resilient detection posture against this attack pattern.

For organizations with significant AI and ML development pipelines, the credential exposure profile of training and inference environments deserves explicit threat modeling. The tools and frameworks prevalent in AI development often hold credentials with broad scope, and the supply chain risk to these environments has not been systematically assessed at most organizations.

CSA Resource Alignment

The Mini Shai-Hulud campaign maps directly to multiple dimensions of CSA’s AI and cloud security guidance. CSA’s MAESTRO framework for agentic AI threat modeling addresses the pipeline integrity threat represented by TeamPCP’s targeting of CI/CD security tools: when a scanning tool in the agent’s execution pipeline is compromised, trust in the pipeline’s outputs can no longer be assumed, and the assumption of integrity that underpins automated build and deployment decisions collapses. Organizations using AI agents to manage or evaluate code should treat any tool in the agent’s execution environment as a potential attack surface, consistent with MAESTRO’s Layer 3 (Agent Frameworks) and Layer 4 (Deployment Infrastructure) threat categories.

CSA’s AI Controls Matrix (AICM) provides relevant control mappings for software supply chain integrity, including requirements around dependency provenance verification, build environment isolation, and secrets management in automated pipelines. The AICM’s controls for data and model integrity are also implicated: organizations that used compromised versions of PyTorch Lightning in training pipelines should verify that no unauthorized code was executed with access to training data or model artifacts. The broader AICM guidance on organizational AI risk governance is relevant to the strategic recommendation that AI development toolchains receive dedicated threat modeling.

CSA’s Software Transparency guidance calls for SBOM generation and verification as a baseline practice for software supply chain accountability. The specific gap exposed by Mini Shai-Hulud — that most organizations cannot quickly determine which systems installed a particular package version during a narrow window — is precisely the visibility gap that SBOM adoption addresses. Integrating SBOM verification into the CI/CD pipeline as a first-class security control, rather than a compliance artifact, is the operational implementation of this guidance.

CSA’s Zero Trust principles apply to the trust model underlying package registries themselves. The current credential-based publishing model for major registries extends implicit trust to any process possessing a valid token, with no mechanism to verify the provenance or integrity of published artifacts. Organizations that treat package installations as trusted inputs into their builds without additional verification have, in effect, extended transitive trust to every maintainer account in their dependency graph. A Zero Trust approach to the software supply chain requires verification of package provenance at install time and behavioral monitoring of install-time execution as independent signals, not reliance on registry credentials as a proxy for package integrity.

References

[1] Wiz Research. “Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware.” Wiz Blog, April 29, 2026.

[2] Unit 42. “Shai-Hulud: A New npm Supply Chain Attack.” Palo Alto Networks, September 2025.

[3] ReversingLabs. “New Shai-Hulud Worm Spreads: What to Know.” ReversingLabs Blog, November 2025.

[4] Arctic Wolf Research. “TeamPCP Supply Chain Attack Campaign Targets Trivy, Checkmarx KICS, and LiteLLM.” Arctic Wolf, March 2026.

[5] Wiz Research. “Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild.” Wiz Blog, April 2026.

[6] The Hacker News. “PyTorch Lightning and Intercom-Client Hit in Supply Chain Attacks to Steal Credentials.” The Hacker News, April 30, 2026.

[7] StepSecurity. “A Mini Shai-Hulud Has Appeared.” StepSecurity Blog, April 29, 2026.

[8] Aikido Security. “Mini Shai-Hulud Has Appeared: Bun-Based Secret Stealer Targets SAP npm Packages.” Aikido Security Blog, April 30, 2026.

[9] Sophos. “Mini Shai-Hulud Supply Chain Attack Targets SAP npm Packages.” Sophos Blog, April 30, 2026.

[10] SecurityWeek. “1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom.” SecurityWeek, May 1, 2026.

[11] The Hacker News. “Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft.” The Hacker News, May 1, 2026.

[12] OX Security. “Shai-Hulud: Bitwarden CLI Supply Chain Attack.” OX Security Blog, April 22, 2026.

[13] Wiz Threat Intelligence. “TeamPCP Threat Actor Profile.” Wiz Threat Landscape, 2026.

[14] GitGuardian. “A Mini Shai-Hulud Targeting the SAP Ecosystem.” GitGuardian Blog, April 29, 2026.