Supply Chain Attack "Mini Shai-Hulud" Hits 1,800 Developers Across SAP, Lightning, and Intercom

"Mini Shai-Hulud" attack by TeamPCP hits 1,800+ developer repos, injecting malware into SAP and intercom packages, risking major credential theft.

By Content Team

May 2, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A sweeping supply chain attack dubbed "Mini Shai-Hulud," linked to the TeamPCP hacking group, has compromised over 1,800 developer repositories since April 29. Malicious versions of SAP NPM packages, Lightning PyPi (v2.6.2–2.6.3), intercom-client NPM (v7.0.4–7.0.5), and intercom-php (v5.0.2) were injected with credential-stealing malware. The malware harvests AWS keys, API tokens, VPN credentials, crypto wallet data, and more, exfiltrating it to GitHub repos and a dedicated domain. The payload also actively scans Kubernetes environments and HashiCorp Vault secrets. With the affected packages totaling nearly 30 million downloads combined, the blast radius could grow significantly.

Source: SecurityWeek

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Iranian Hackers Target US Medical Company in Cyber Retaliation

Mar 15, 2026

Critical FreeBSD Flaw Lets Attackers Take Full Root Control Over Your System

May 4, 2026

Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical

Mar 6, 2026

Hightower Financial Services Hit by Data Breach Affecting 131,000 People

Mar 27, 2026