Mini Shai-Hulud, Supply Chain Compromise, PyPI, npm, Credential Stealer, PyTorch Lightning, SAP CAP, Intercom, TeamPCP, Bun Runtime
Source Material: Aikido Security, OX Security, Socket, StepSecurity, Sophos | Technology: Python (PyPI), Node.js (npm), Bun, GitHub Actions | Targeted Industries: Enterprise Developers, AI/ML Infrastructure, Cloud Operations
Executive Summary
An ongoing, multi-ecosystem software supply chain attack dubbed “Mini Shai-Hulud” has impacted the PyPI and npm registries between April 29 and April 30, 2026. The attackers have compromised several high-profile packages, most notably the widely used PyTorch Lightning framework, the intercom-client SDK, and various SAP Cloud Application Programming (CAP) tools. Upon installation or import, the malicious packages silently execute an 11 MB obfuscated JavaScript credential stealer that operates on the standalone Bun runtime.
This malware identifies and exfiltrates developer secrets, cloud credentials, cryptocurrency wallets, and IDE configurations. Stolen data is packaged, encrypted, and exfiltrated to attacker-controlled infrastructure and spoofed GitHub repositories. Furthermore, the malware possesses worm-like propagation capabilities, modifying a victim’s local npm package tarballs and bumping version numbers to infect downstream users if the victim subsequently publishes to the registry.
Due to the significant reach of the impacted packages, specifically PyTorch Lightning, which is widely used in Artificial Intelligence (AI) & Machine Learning (ML) projects, organizations must immediately audit their dependencies, block the compromised versions, and assume widespread credential compromise if the malicious packages were installed or deployed within their environments.
Threat Overview and Strategic Impact
The Mini Shai-Hulud campaign crosses traditional ecosystem boundaries, signifying a highly sophisticated threat actor, believed to be the financially motivated group TeamPCP. The attackers bypassed standard pipeline protections and leveraged hijacked maintainer accounts to publish malicious updates directly via CLI tools, rather than through source code repositories. This bypasses automated GitHub scanning and requires defenders to monitor registry artifacts directly.
Once a compromised package (e.g., Lightning versions 2.6.2 and 2.6.3, intercom-client 7.0.4, or affected @cap-js modules) is imported,, a hidden _runtime directory initiates a bootstrapper script (start.py). This script downloads the Bun JavaScript runtime to evade standard Python and Node.js monitoring tools. The Bun runtime then executes the primary payload (router_runtime.js), which comprehensively sweeps the local environment for over 130 types of secrets, including AWS/GCP/Azure keys, GitHub PATs, and .env files.
Stolen tokens are validated via APIs and exfiltrated through HTTPS (e.g., to zero[.]masscan[.]cloud) or by creating public “dead-drop” GitHub repositories on the victim’s account containing the description “A Mini Shai-Hulud has Appeared”. The worm then utilizes the stolen tokens to inject itself into other repositories and local npm packages, masquerading as legitimate AI assistant commits (e.g., Anthropic’s Claude Code) to further propagate the infection. This poses a significant immediate risk to enterprise infrastructure, as it grants threat actors highly privileged access across multiple cloud and development environments.
Security Hardening and Recommendations
Organizations must treat environments where these packages were installed as compromised. The following proactive hardening and remediation steps are recommended:
- Isolate and Audit: Search all dependency trees for Lightning (2.6.2, 2.6.3), intercom-client (7.0.4), and the affected SAP packages (@cap-js/sqlite 2.2.2, @cap-js/db-service 2.10.1, mbt 1.2.48). Disconnect any affected hosts immediately.
- Mandatory Credential Rotation: Revoke and rotate all secrets, SSH keys, cloud provider tokens, and GitHub/npm credentials that were accessible to the compromised host.
- Cache Purging: Roll back to known safe package versions (e.g., lightning 2.6.1) and aggressively clear all local package manager caches (npm cache clean –force, pip cache purge).
- Repository Integrity Checks: Audit your GitHub organizations for any rogue commits from [email protected] or new repositories matching the Mini Shai-Hulud description.
Detection Strategy
Security teams should monitor process execution logs for unauthorized instances of the Bun runtime, particularly when spawned by Python or Node.js parent processes. Additionally, look for anomalous outbound connections to unknown domains or excessive queries to the GitHub API validating tokens. File integrity monitoring should be configured to alert on unexpected modifications to .vscode/tasks.json or .claude/settings.json within developer workspaces.
How Deepwatch Protects Our Customers
Our Guardians are actively tracking the Mini Shai-Hulud campaign and will continue to identify IOCs and TTPs we can leverage in our alerting to protect our customers. The Security Operations Center (SOC) is continuously monitoring for malicious activity including anomalous Bun runtime execution, unauthorized secret access, and suspicious CI/CD pipeline activities, to rapidly contain potential threats within customer environments.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
- Search process execution logs for the unauthorized installation and execution of the Bun JavaScript runtime (bun or bun.exe), especially originating from temporary directories, package manager cache folders, or hidden _runtime directories executing the start.py bootstrapper or router_runtime.js payload..
- Hunt for the creation of local staging files such as Cloud.json or Environment.json which the malware uses to temporarily dump secrets before exfiltration.
- Audit GitHub enterprise environments for newly created public repositories with the exact description “A Mini Shai-Hulud has Appeared”, or unauthorized branch names like shai-hulud and dependabout/github_actions/format/setup-formatter.
- Review outbound DNS and network connections for the known exfiltration domain zero[.]masscan[.]cloud.
Technical Artifacts
Please visit Security Center to access the associated technical artifacts and IOCs.
Threat Object Mapping
Intrusion Set:
- TeamPCP
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Supply Chain Compromise | T1195.002 | Attackers compromised the PyPI Lightning package and multiple npm packages to distribute the payload. |
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | The malware leverages the Bun JavaScript runtime to execute the obfuscated stealer. |
| Credential Access | Credentials In Files | T1552.001 | The payload systematically harvests cloud credentials, GitHub PATs, and .env files from the host. |
| Defense Evasion | Obfuscated Files or Information | T1027 | The main JavaScript payload uses advanced string-array rotation and AES decryption to hide its intent. |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Stolen secrets are encrypted and exfiltrated to attacker-controlled infrastructure (e.g., zero[.]masscan[.]cloud. |
Vulnerabilities:
- This campaign leverages supply chain compromise and account takeovers rather than specific CVEs. Related weaknesses include:
- CWE-494 (Download of Code Without Integrity Check)
- CWE-522 (Insufficiently Protected Credentials)
Malware/Tool:
- Mini Shai-Hulud Worm
- TeamPCPCloudStealer variant
- Bun JavaScript Runtime
Share