A sweeping supply chain attack dubbed "Mini Shai-Hulud," linked to the TeamPCP hacking group, has compromised over 1,800 developer repositories since April 29. Malicious versions of SAP NPM packages, Lightning PyPi (v2.6.2–2.6.3), intercom-client NPM (v7.0.4–7.0.5), and intercom-php (v5.0.2) were injected with credential-stealing malware. The malware harvests AWS keys, API tokens, VPN credentials, crypto wallet data, and more, exfiltrating it to GitHub repos and a dedicated domain. The payload also actively scans Kubernetes environments and HashiCorp Vault secrets. With the affected packages totaling nearly 30 million downloads combined, the blast radius could grow significantly.
Source: SecurityWeek