What happened

A supply chain attack campaign attributed to TeamPCP, dubbed Mini Shai-Hulud, has compromised packages across the PyPI, NPM, and PHP ecosystems over a two-day period, affecting over 1,800 developer repositories containing stolen credentials. The campaign was first identified on April 29 when malicious versions of four SAP NPM packages were caught delivering information-stealing malware.

The attack expanded significantly through the compromise of the Lightning PyPI package and the intercom-client NPM package, which together have a combined monthly download count of nearly 10 million. Malicious versions injected were Lightning versions 2.6.2 and 2.6.3 and intercom-client versions 7.0.4 and 7.0.5. The campaign further spread to the PHP ecosystem through intercom-php version 5.0.2, a package with over 20 million lifetime downloads on Packagist. The PHP compromise was a direct downstream consequence of the Lightning infection, as a local package installation used the infected Lightning package as a dependency.

The malware collects credentials, keys, tokens, and secrets from infected machines and publishes the stolen data to GitHub repositories bearing the hardcoded description “A Mini Shai-Hulud has Appeared.” Beyond the credential theft observed in the initial SAP phase, the Lightning and Intercom payload added a dedicated exfiltration infrastructure using the domain zero[.]masscan[.]cloud and a dynamic fallback mechanism that searches GitHub for commits containing specific strings to retrieve embedded command-and-control commands. The intercom-client payload actively scans for Kubernetes environments and HashiCorp Vault secrets, extracting AWS keys, GitHub and NPM tokens, database connection strings, private keys, and API secrets including Stripe, Slack, and Twilio credentials. The stealer also targets VPN credentials, cryptocurrency wallet data, and Discord and Slack session tokens. The campaign appears to be a continuation of the broader Shai-Hulud supply chain attacks from late 2025.

Who is affected

Developers and organizations that installed the compromised package versions across Lightning, intercom-client, intercom-php, or the affected SAP NPM packages are directly exposed. Given the combined download volumes across these packages, the 1,800 confirmed compromised repositories likely represents an early count with the potential to grow. Organizations running Kubernetes environments or HashiCorp Vault are at elevated risk given the payload’s active scanning for those systems.

Why CISOs should care

Mini Shai-Hulud is not an isolated incident. It is a continuation of a documented multi-ecosystem campaign by TeamPCP that has now compromised packages across NPM, PyPI, PHP, and previously GitHub Actions and Docker Hub. The group is systematically working through the dependency layers of modern software development, and the cascading compromise from Lightning to intercom-php through a shared dependency illustrates how a single infected package can propagate through an ecosystem faster than defenders can respond.

The active Kubernetes and Vault scanning in the payload elevates this beyond credential theft. Access to Kubernetes service endpoints and Vault configurations can provide attackers with infrastructure-level access that extends well beyond the developer environments where the initial compromise occurred.

3 practical actions

Immediately audit environments for the compromised package versions and treat any match as a confirmed credential exposure: Check for Lightning versions 2.6.2 and 2.6.3, intercom-client versions 7.0.4 and 7.0.5, and intercom-php version 5.0.2 across all development environments, CI/CD pipelines, and container images. Rotate all credentials, tokens, and API keys present in any environment where these versions were installed.

Scan for GitHub repositories created with the Mini Shai-Hulud signature and block the known exfiltration domain: Search for repositories with the description “A Mini Shai-Hulud has Appeared” that may contain credentials from your environment, and block outbound connections to zero[.]masscan[.]cloud in network controls and DNS filtering.

Audit Kubernetes and HashiCorp Vault access logs for anomalous credential queries: The intercom-client payload actively queries Kubernetes service endpoints and Vault configurations. Review access logs for these systems for unusual API calls or credential extraction patterns that coincide with the April 29 to May 1 window of active compromise.