Researchers: TeamPCP's Mini Shai‑Hulud worm exfiltrates enterprise keys, hits SAP

A software supply-chain worm is back in a smaller but still nasty form. This one is being tracked as “Mini Shai-Hulud,” and the danger is not just a poisoned package on a developer laptop. The real risk is that the malware goes after CI/CD tokens, cloud keys, and repo credentials — the stuff that lets an attacker move from one package install into build systems and production environments. The new twist is who got hit: packages tied to SAP workflows, Intercom’s npm client, and Lightning on PyPI. (socket.dev) ### What actually got compromised? The confirmed list is pretty specific. On npm, researchers flagged `mbt@1.2.48`, `@cap-js/db-service@2.10.1`, `@cap-js/postgres@2.2.2`, `@cap-js/sqlite@2.2.2`, and `intercom-client@7.0.4`. On PyPI, they flagged `lightning` versions `2.6.2` and `2.6.3`. Those are not random hobby packages — several sit in real enterprise and developer workflows, especially around SAP Cloud Application Programming Model deployments. (socket.dev) ### Why is SAP the scary part? SAP’s CAP and MTA tooling often lives close to enterprise deployment pipelines. So if a compromised package lands there, the blast radius can be much bigger than a single developer machine. Socket’s write-up points out that teams using SAP CAP, SAP Business Technology Platform workflows, or MTA-based deployment pipelines should treat installs during the exposure window as potentially se(socket.dev)dge straight into corporate infrastructure. (socket.dev) ### How does the malware run? The payload uses a preinstall or import-time hook to fetch a platform-specific Bun runtime from GitHub Releases, then executes a large obfuscated JavaScript stealer. That matters because it means the malicious behavior can start automatically during install or import, without waiting for a user to run some obviously sketchy command. Socket also noted risky implementation details(socket.dev)following behavior. (socket.dev) ### What is it trying to steal? The target list is the important part. Researchers say the stealer hunts developer and CI/CD secrets, including GitHub, npm, cloud, Kubernetes, and other build-environment credentials. Earlier TeamPCP activity and related Shai-Hulud campaigns were built around turning stolen GitHub access into more repo compromise and more malicious workflow pushes. So the package is really just the entry point — the credential theft is the engine. (socket.dev) ### Why call it a worm? Because the campaign appears designed to propagate using the access it steals. The older Shai-Hulud playbook abused GitHub tokens to create repos, dump secrets, and push malicious workflows into accessible repositories. Unit 42 says the post–Shai-Hulud era is defined by attackers embedding themselves into CI/CD pipelines for persistence, not just quick smash-and-grab theft. Mini Shai-Hulud looks like a lighter version of that same idea. (unit42.paloaltonetworks.com) ### Is this definitely TeamPCP? Researchers are linking it to TeamPCP based on shared payload architecture and overlap with earlier campaigns, but that is still an attribution judgment, not a courtroom fact. What is solid is the operational pattern: recent TeamPCP-linked incidents have already hit Trivy, LiteLLM, Checkmarx tooling, Telnyx, and Bitwarden’s CLI, all with the same broad goal of stealing high-value secrets from software pipelines. (socket.dev) ### What should teams do first? First, identify whether those exact package versions were installed on developer machines, runners, or build systems after April 29, 2026. Then rotate any credentials that may have been exposed — especially GitHub tokens, npm tokens, cloud keys, Kubernetes secrets, and CI variables. After that, review CI/CD logs for unexpected network calls, binary downloads, and workflow chan(socket.dev)nt may be burned. (socket.dev) ### So what’s the real lesson? The lesson is that package compromise is no longer mainly about sneaking bad code into an app. It is about stealing the keys around the app — repo access, pipeline access, and cloud access. That is why this story matters even if your team never used the SAP or Intercom packages directly. The attack path now aims at the software factory itself. (unit42.paloaltonetworks.com)