1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom

Over 1,800 developers were affected by the Mini Shai-Hulud supply chain attack that hit the PyPi, NPM, and PHP ecosystems over the past two days.

Attributed to the TeamPCP hacking group, the campaign was first spotted on April 29, after malicious versions of four SAP NPM packages were caught delivering information-stealing malware and attempting to propagate to other packages.

The malware would collect credentials, keys, tokens, and other secrets from the infected machines and publish the data to GitHub repositories containing the hardcoded description “A Mini Shai-Hulud has Appeared”.

The same description has been used in a fresh round of infections linked to the compromise of the Lightning PyPi package and the intercom-client NPM package, which have a combined monthly download count of nearly 10 million.

According to Ox Security, over 1,800 repositories containing stolen developer credentials have been created as part of the Mini Shai-Hulud attacks. The ...