RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: mini-shai-hulud (3 articles)Clear
threat
CVE-2026-45321
2026-05-13

TeamPCP supply-chain worm 'Mini Shai-Hulud' hits TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI - 170 packages, 401 malicious versions, 518 million weekly downloads (CVE-2026-45321)

TeamPCP launched its largest supply-chain attack to date on May 11, compromising 170+ npm and PyPI packages with 518 million combined weekly downloads. The attackers chained three GitHub Actions vulnerabilities to publish 401 malicious versions carrying valid SLSA Build Level 3 attestations - cryptographically indistinguishable from legitimate releases. Affected packages include TanStack, Mistral AI (npm and PyPI), UiPath, OpenSearch, and Guardrails AI. The worm installs a persistent gh-token-monitor daemon that triggers 'rm -rf ~/' if tokens get revoked, and includes a probabilistic full-disk-wipe routine for Israeli and Iranian locales.

teampcpshai-huludmini-shai-huludsupply-chainnpmpypitanstackmistral-aiuipathopensearchguardrails-aislsaoidc-token-theftwormdestructive-payload
Check
Audit lockfiles for @tanstack/* (84 affected versions), @uipath/* (66 versions), @mistralai/*, opensearch-project/opensearch 3.5.3-3.8.0, guardrails-ai 0.10.1, mistralai 2.4.6.
Affected
Any Node.js or Python environment that installed compromised packages between May 11 and registry takedown. CI/CD pipelines, developer workstations, AI/ML environments. Crypto wallets and password managers (1Password, Bitwarden) are primary exfil targets.
Fix
Remove gh-token-monitor daemon BEFORE revoking tokens (~/Library/LaunchAgents macOS, ~/.config/systemd/user/ Linux) - removal first prevents triggering the wipe. Pin lockfiles to clean versions. Rotate all npm tokens, GitHub PATs, cloud credentials, and crypto wallet seeds.
threat
2026-04-30

The same supply-chain worm that hit SAP packages on Wednesday spread to PyTorch Lightning and Intercom's npm SDK on Thursday

Update on the Mini Shai-Hulud campaign covered April 30: The same supply-chain worm that hit four SAP npm packages on Wednesday spread to two more major packages on Thursday. PyTorch Lightning, an AI training framework with 31,100 GitHub stars and hundreds of thousands of daily downloads, had malicious versions 2.6.2 and 2.6.3 published on PyPI for 42 minutes before being quarantined. Intercom-client, the official Node.js SDK for Intercom (361,510 weekly downloads), was compromised at 14:41 UTC. Intercom traced its compromise to pyannote-audio pulling Lightning as a dependency - showing the worm propagating through stolen credentials from the SAP victims.

mini-shai-huludteampcppytorch-lightningintercom-clientpypinpmsupply-chainworm-propagationfollow-upai-mlcredential-theft
Check
Audit any developer machine or CI runner that ran 'pip install' on PyTorch Lightning or 'npm install' on intercom-client between April 30 and May 1, and rotate every credential on those machines.
Affected
Lightning (PyPI) versions 2.6.2 and 2.6.3 - safe version is 2.6.1. Intercom-client (npm) version 7.0.4 (per Socket) and 7.0.5 (per Wiz). AI/ML environments running Lightning routinely hold GPU cluster credentials, cloud IAM tokens, Hugging Face API keys, and Weights & Biases tokens. Backend services and CI/CD pipelines integrating with Intercom's API are exposed even if they don't use Lightning.
Fix
Pin Lightning to 2.6.1 or earlier; reject 2.6.2 and 2.6.3. Update intercom-client per Intercom's advisory. Rotate all credentials potentially exposed: GitHub tokens, npm tokens, AWS/GCP/Azure keys, environment-variable secrets. Gate npm publish behind environment review (the same pattern that compromised SAP).
threat
2026-04-29

Hackers compromised four official SAP developer packages and used them to steal credentials from any developer who installed an update

Attackers compromised four official SAP npm packages on Wednesday and replaced them with versions that quietly steal developer credentials when installed. The packages - mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service - are SAP's open-source tools for cloud application development. Anyone who ran 'npm install' between 09:55 and 12:14 UTC on April 29 had their machine grab GitHub tokens, npm credentials, and AWS, Azure, and GCP secrets, then dump them into public GitHub repositories on the victim's own account. The same attackers (TeamPCP) hit Trivy, Checkmarx, and Bitwarden earlier this year. The malware skips Russian-language systems entirely.

sapnpmsupply-chainteampcpmini-shai-huludcredential-theftci-cdpreinstall-hookbun-runtimerussian-language-guardrail
Check
Audit your CI/CD pipelines and dev machines for the four compromised SAP packages installed between April 29 09:55 and 13:46 UTC, and rotate every credential on those machines.
Affected
Any developer or CI/CD environment that ran 'npm install' on mbt 1.2.48, @cap-js/sqlite 2.2.2, @cap-js/postgres 2.2.2, or @cap-js/db-service 2.10.1. SAP enterprise shops running CAP are at acute risk because these are core SAP development packages.
Fix
Update to clean SAP versions: @cap-js/db-service 2.11.0, @cap-js/sqlite 2.4.0, @cap-js/postgres 2.3.0. Rotate every GitHub token, npm token, and cloud credential (AWS, Azure, GCP) on machines that touched those packages. Search GitHub for repositories with the description 'A Mini Shai-Hulud has Appeared' belonging to your developers and report them to GitHub.