TL;DR
Between April 29–30, 2026, the threat actor TeamPCP — openly allied with LAPSUS$ — executed the most sophisticated cross-ecosystem supply chain attack recorded to date, poisoning seven packages spanning npm and PyPI simultaneously. SAP's cloud-development toolkit, the PyTorch Lightning ML framework, Bitwarden CLI, and the Intercom client library were all trojanized within a 24-hour window. The campaign, self-branded Mini Shai-Hulud, deploys an 11+ MB obfuscated credential-stealer that boots the Bun JavaScript runtime, harvests GitHub, npm, and cloud secrets (AWS/Azure/GCP/Kubernetes/Vault), exfiltrates them to attacker-controlled GitHub repositories using AES-256-GCM + RSA-4096 encryption, then worms itself into up to 50 branches of every repository the stolen token can write to — impersonating Anthropic's Claude Code as the commit identity. Over 1,100 attacker-controlled repos bearing the signature description "A Mini Shai-Hulud has Appeared" were live on GitHub within hours. This is not a one-off typosquat — it is a persistent, evolving, multi-wave campaign that has now compromised tools used by millions of developers across the ML, enterprise, security, and customer-success stacks.
Background: The Shai-Hulud Lineage
The name is a Dune reference — the worm that consumes everything it touches underground. It fits. The Shai-Hulud campaign family first appeared in September 2025, targeting npm packages via compromised maintainer accounts and supply-chain token theft. By December 2025, a "Modified Shai-Hulud" wave expanded its exfiltration capabilities and added CI/CD propagation. In April 2026, TeamPCP announced Mini Shai-Hulud — smaller payload footprint, broader ecosystem scope, and materially improved operational security.
Prior victims in the TeamPCP / Shai-Hulud lineage include Checkmarx (GitHub Actions and Open VSX plugins, March 2026), Bitwarden CLI (fake @bitwarden/[email protected] npm package), Telnyx, LiteLLM, and Aqua Security Trivy. Each compromise provided either a new batch of developer credentials or a propagation vector to downstream consumers. The April 29–30 wave represents the campaign's most ambitious single-window operation yet.
TeamPCP has now launched a dark-web .onion presence after being banned from X for posting leaked data, and has publicly described LAPSUS$ as "a good partner of ours…involved heavily throughout this entire operation." Attribution confidence is high: Wiz, Socket, Aikido, OX Security, Onapsis, StepSecurity, SafeDep, and Palo Alto Unit 42 all independently converge on the same technical fingerprints.
Technical Analysis
Wave 1 — SAP npm Packages (April 29, 09:55–12:14 UTC)
Four packages in SAP's JavaScript/cloud-application development ecosystem were poisoned in a 138-minute window:
| Package | Malicious Version | Ecosystem |
|---|---|---|
| mbt | 1.2.48 | npm |
| @cap-js/db-service | 2.10.1 | npm |
| @cap-js/postgres | 2.2.2 | npm |
| @cap-js/sqlite | 2.2.2 | npm |
Each poisoned release injected a preinstall hook into package.json that calls setup.mjs — a bootstrapper that downloads and extracts a platform-appropriate Bun ZIP from GitHub Releases, then executes execution.js, the main payload. Crucially, the script uses PowerShell with -ExecutionPolicy Bypass on Windows and follows HTTP redirects without destination validation — two deliberate choices that sidestep common security controls.
execution.js is an 11.6 MB obfuscated credential stealer and propagation framework that:
1. Harvests GitHub tokens, npm credentials, cloud secrets (AWS, Azure, GCP keys), Kubernetes service account tokens, HashiCorp Vault configurations, GitHub Actions secrets extracted from runner memory, and any API secrets matching a broad regex list (Stripe, Slack, Twilio, and more).
2. Encrypts all exfiltrated data with AES-256-GCM, key-wrapping with an embedded RSA-4096 public key — only the attacker can decrypt.
3. Exfiltrates to attacker-controlled GitHub repositories created in the victim's own account, bearing the description "A Mini Shai-Hulud has Appeared," making forensic tracking trivially easy for defenders but also ensuring the data pipeline survives takedowns of the team's own infrastructure.
4. Propagates by using the stolen GitHub token to inject a malicious GitHub Actions workflow into the victim's repositories, which steals repo secrets and publishes poisoned npm package versions — creating a second-order wave of downstream victims.
5. Skips execution on systems with a Russian locale — a classic OPSEC guardrail consistent with Eastern European threat actor conventions.
Wave 2 — PyTorch Lightning and intercom-client (April 30, ~15:20 UTC)
With SAP packages quarantined, TeamPCP immediately pivoted to two more high-value targets:
lightning(PyTorch Lightning) versions 2.6.2 and 2.6.3 on PyPI — the framework has 31,100+ GitHub stars and is a foundational tool for AI/ML research and production training pipelinesintercom-clientversion 7.0.4/7.0.5 on npm — used by customer-success engineering teams globally
The Lightning compromise used a different execution path: the malicious code is embedded in a hidden _runtime/ directory inside the wheel, with execution triggered automatically on import lightning — no pip install hook required. A Python loader (start.py) bootstraps Bun and runs router_runtime.js, an 11MB obfuscated payload. GitHub tokens found during harvesting are validated against api.github.com/user before use — the malware doesn't waste stolen credentials it can't use.
The worm propagation logic is particularly alarming: for each GitHub repo the stolen token can write to, the payload poisons up to 50 branches with a new commit authored under a hardcoded identity designed to impersonate Anthropic's Claude Code. This identity laundering means developers reviewing git logs are likely to ignore the poisoned commits as routine AI-assisted work.
A second propagation vector targeting npm: execution.js modifies the developer's local npm tarballs, injecting a postinstall hook, bumping the patch version, and repacking .tgz files in-place. If the developer subsequently runs npm publish, the infected version reaches the public registry automatically.
Infrastructure Evolution: Dynamic C2 Fallback
A significant operational improvement over prior waves: while the primary exfiltration endpoint is zero.masscan.cloud and 94.154.172[.]43/v1/telemetry, the malware implements a dead-drop resolver via GitHub commit search. Searching for commits containing the keyword beautifulcastle returns a repository with a base64-encoded payload pointing to the current exfiltration endpoint. This means TeamPCP can redirect all victims to a new C2 without ever pushing a new malicious package — a capability normally associated with nation-state tooling.
Indicators of Compromise
| Type | Indicator |
|---|---|
| Malicious PyPI packages | lightning==2.6.2, lightning==2.6.3 |
| Malicious npm packages | @cap-js/[email protected], @cap-js/[email protected], @cap-js/[email protected], [email protected], [email protected], [email protected], @bitwarden/[email protected] |
| Malicious payload filenames | setup.mjs, execution.js, start.py, router_runtime.js |
| Bun runtime download pattern | Platform ZIP from GitHub Releases, HTTP redirect follow without verification |
| Attacker GitHub repo description | "A Mini Shai-Hulud has Appeared" |
| Dead-drop keyword | beautifulcastle (GitHub commit search) |
| C2 domain | zero.masscan.cloud |
| C2 IP | 94.154.172[.]43 (endpoint: /v1/telemetry) |
| Commit impersonation identity | Hardcoded string mimicking Anthropic Claude Code |
| RSA public key fingerprint | Shared key across SAP/Lightning/intercom waves (matches Wiz/Socket analysis) |
| Region guardrail | Exits if system locale = Russian |
Lyrie Take
This campaign is a watershed moment in supply chain security for two reasons:
First, ecosystem boundaries are now irrelevant. TeamPCP ran concurrent npm and PyPI attacks within 24 hours, targeting ML, enterprise ERP tooling, security tooling, and customer-success SaaS in a single operation. The historical assumption that "we don't use SAP npm, so we're safe" collapses when the worm can bridge from a single compromised developer's machine into every ecosystem that developer touches.
Second, the git-commit identity spoofing is a direct attack on AI-assisted development workflows. Poisoned commits attributed to Claude Code are designed to be invisible to developers who have normalized AI commits in their review workflows. As AI coding tools become ubiquitous, this vector will scale: defenders who haven't cryptographically verified AI tool identity (e.g., signed commits, attestation) have a rapidly closing window.
From a threat intelligence standpoint, TeamPCP's LAPSUS$ partnership deserves scrutiny. LAPSUS$ historically excels at social engineering and insider access — while TeamPCP excels at package ecosystem compromise. Together they represent a credential-theft-to-initial-access pipeline that could service ransomware affiliates, espionage actors, or financial crime groups. The dark-web pivot after the X ban suggests the group is professionalizing and expanding its operational surface.
The 1,100+ attacker-controlled GitHub repos are an interesting data point: TeamPCP is either extremely aggressive or accepting a high signature risk. This could indicate confidence that GitHub's abuse response is slow enough that data exfiltration completes before takedown — or it's deliberate noise to obscure which repos contain real victim data.
Defender Playbook
Immediate (if you've installed affected versions):
1. Quarantine any machine that ran pip install lightning==2.6.2 or ==2.6.3, or npm install of any listed malicious version.
2. Rotate all credentials immediately: GitHub tokens, npm tokens, AWS/Azure/GCP access keys, Kubernetes service account tokens, HashiCorp Vault tokens, and any API secrets (Stripe, Slack, Twilio, etc.) accessible from the affected environment.
3. Audit GitHub repositories for unexpected commits, especially from identities referencing Claude Code or AI tooling. Check git log for the beautifulcastle keyword.
4. Search your GitHub org for repositories with description "A Mini Shai-Hulud has Appeared" — these are exfil targets controlled by TeamPCP.
5. Block zero.masscan.cloud and 94.154.172[.]43 at DNS/firewall/proxy layers.
6. Audit npm postinstall hooks in local tarballs; run npm pack --dry-run and inspect output before publishing.
Short-term (1–2 weeks):
7. Implement package version pinning with hash verification (pip's --require-hashes, npm's package-lock.json with integrity fields) in all CI/CD pipelines. Never float on latest.
8. Add SCA tooling with behavioral analysis (Socket, Aikido, Snyk, Wiz) that can detect install-time script execution, obfuscated payloads, and Bun runtime downloads — not just known-bad hashes.
9. Enforce branch protection + signed commits across all repositories. Require GPG/SSH signature verification on PRs — this directly defangs the Claude Code identity spoofing vector.
10. Apply least-privilege to CI/CD tokens: no token used in a pipeline should have write access to all 50 branches of all repositories. Scope tokens to the minimum required repo and permission set.
Structural (1 month+):
11. Audit your full dependency tree for TeamPCP campaign target overlap: anything touching Checkmarx plugins, Bitwarden CLI, LiteLLM, Telnyx, Aqua Trivy, or SAP CAP should be considered potentially tainted if used in the April–May 2026 window.
12. Stand up a private package mirror (Verdaccio, AWS CodeArtifact, Azure Artifacts) and enforce allowlist-only dependency resolution in production pipelines. Direct-to-public-registry installs should require explicit approval.
13. Monitor for Bun runtime download events at the process/network level — legitimate development workflows rarely need to auto-download a JavaScript runtime as part of a package installation.
Sources
1. The Hacker News — PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials (April 30, 2026) — https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html
2. The Hacker News — SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack (April 29, 2026) — https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html
3. Wiz — Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware — https://www.wiz.io/blog/mini-shai-hulud-supply-chain-sap-npm
4. Socket Research Team — lightning PyPI Package Compromised in Supply Chain Attack — https://socket.dev/blog/lightning-pypi-package-compromised
5. Palo Alto Unit 42 — The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1) — https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
6. Dark Reading — TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack — https://www.darkreading.com/cloud-security/teampcp-sap-packages-mini-shai-hulud
7. Kodems Security — Mini Shai-Hulud Attack: PyTorch Lightning and intercom-client Compromised — https://www.kodemsecurity.com/resources/mini-shai-hulud-strikes-pytorch-lightning-and-intercom-client-inside-the-cross-ecosystem-supply-chain-attack
Lyrie.ai Cyber Research Division — Senior Analyst Desk
Lyrie Verdict
Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.