A sophisticated supply chain campaign dubbed Mini Shai Hulud has compromised multiple npm packages tied to the SAP ecosystem, injecting malicious preinstall scripts that silently harvest developer credentials, cloud secrets, and CI/CD pipeline tokens. Security researchers at Wiz have attributed the operation to TeamPCP, the same threat actor responsible for the earlier Shai-Hulud and Shai-Hulud 2.0 campaigns, based on a shared RSA public key and overlapping encoding routines.

How the Attack Works: Preinstall Script Injection

The attackers created malicious versions of legitimate SAP ecosystem packages, including @cap-js/sqlite and @cap-js/postgres, by modifying their package.json to include a preinstall hook. When a developer or CI/CD pipeline runs npm install, the hook automatically executes setup.mjs before installation completes — giving attackers a reliable, low-friction code execution primitive that requires no further user interaction.

The first-stage script downloads the Bun JavaScript runtime and uses it to execute an obfuscated second-stage payload called execution.js. This design helps bypass detection tools that may flag Node.js-based execution but not Bun, and the obfuscation layer provides additional resistance to static analysis.

What Credentials Are Being Stolen

The second-stage payload is a full-featured credential stealer and propagation framework. It is specifically engineered to target both developer workstations and automated CI/CD environments. The data harvested includes:

  • GitHub personal access tokens and OAuth credentials
  • npm authentication tokens
  • Cloud provider secrets — AWS access keys, Azure credentials, and GCP service account tokens
  • Kubernetes service account tokens
  • GitHub Actions secrets, including values extracted directly from runner memory
  • HashiCorp Vault configurations and stored secrets
  • API keys for services such as Stripe, Slack, and Twilio
  • Database connection strings and private keys

Stolen data is encrypted and exfiltrated to attacker-controlled public GitHub repositories. This technique exploits GitHub's trusted reputation to blend malicious traffic with normal developer activity and evade network-level controls.

Evolving Exfiltration Infrastructure

Later-stage analysis revealed that TeamPCP has upgraded its exfiltration architecture beyond simple GitHub repositories. The malware now primarily communicates with a dedicated domain, zero.masscan.cloud, while implementing a dynamic fallback mechanism to ensure resilience against takedowns.

The fallback works by searching GitHub commit history for commits containing the keyword "beautifulcastle". These commits embed a base64-encoded payload that points to the current active exfiltration endpoint — currently resolving to 94.154.172[.]43/v1/telemetry. This design allows the attacker to rotate infrastructure without publishing new malicious package versions, significantly complicating detection and remediation efforts.

Propagation Logic and Self-Spreading Capability

Beyond credential theft, the malware includes active propagation logic. Using the harvested GitHub and npm tokens, it attempts to infect additional repositories and package distributions that the compromised user has write access to. This self-spreading mechanism means a single compromised developer machine can cascade into downstream packages and repositories, multiplying the campaign's reach without any additional attacker effort.

Russia Guardrail: A Threat Actor Fingerprint

During initialization, the malware performs a locale check before executing its primary payload. It inspects both the system's date/time locale settings and environment language variables. If any value begins with ru, the payload immediately terminates and exfiltrates nothing. This Russia-exclusion guardrail is a well-documented behavioral fingerprint among Eastern European threat actors seeking to avoid prosecution or attention from domestic authorities, and it corroborates the TeamPCP attribution.

Campaign Expansion: intercom-client and Lightning Packages Trojanized

The campaign has since expanded beyond the SAP ecosystem. Researchers confirmed that the following additional packages were subsequently trojanized with the same malicious functionality:

  • intercom-client@7.0.5 (npm)
  • lightning@2.6.2 and lightning@2.6.3 (PyPI)

The inclusion of a PyPI package signals that TeamPCP is broadening its targeting surface beyond the JavaScript ecosystem, potentially threatening Python-based development pipelines and data science workflows that rely on the Lightning machine learning framework.

Scale and Comparison to Prior Campaigns

While Mini Shai Hulud is an active and ongoing threat, Wiz researchers note that the volume of compromised users and attacker-created exfiltration repositories is significantly lower than that observed in the original Shai-Hulud or Shai-Hulud 2.0 operations. This may reflect faster detection and response, a more targeted scope, or simply an earlier stage in the campaign lifecycle.

Detection and Mitigation Recommendations

Organizations using SAP CAP framework packages or any of the affected packages should take immediate action:

  • Audit your dependency tree for @cap-js/sqlite, @cap-js/postgres, intercom-client, and lightning and verify installed versions against known-good releases.
  • Rotate all secrets immediately on any machine that ran npm install with a potentially affected package — including GitHub tokens, npm tokens, AWS/Azure/GCP credentials, and Kubernetes service accounts.
  • Inspect CI/CD pipeline logs for unexpected network connections to zero.masscan.cloud or 94.154.172[.]43.
  • Enable npm package lock integrity checks and consider using tools like socket.dev or npm audit in your pipeline to flag packages with preinstall scripts.
  • Monitor GitHub for unexpected repository creation under compromised user accounts, which may indicate the propagation stage has activated.
  • Block or alert on Bun runtime downloads in CI/CD environments where it is not an expected dependency.

Conclusion

The Mini Shai Hulud campaign is a clear demonstration that supply chain attacks against the npm ecosystem remain a high-impact, low-barrier threat vector for sophisticated actors. TeamPCP's decision to target the SAP CAP framework — widely used in enterprise cloud-native development — reflects deliberate targeting of high-value CI/CD environments where a single compromised token can cascade into broader infrastructure access. The expansion to PyPI and the upgrade to resilient, dynamically configured exfiltration infrastructure suggest this threat actor is actively refining its tradecraft. Security teams supporting developer environments should treat preinstall script execution in third-party packages as a high-risk vector and implement automated controls accordingly.