SECURITYWEEK reports that over 1,800 developers were affected in the Mini Shai-Hulud supply chain attack targeting the PyPi, NPM and PHP ecosystems, with the Lightning and Intercom packages bearing the impact and together generating almost 10 million monthly downloads.
The campaign, attributed to the TeamPCP hacking group, was first spotted on 29 April after malicious SAP NPM packages delivered information-stealing malware and attempted to propagate to other packages, with the malware collecting credentials, keys, tokens and other secrets and publishing them to GitHub repositories bearing the description “A Mini Shai-Hulud has Appeared”.
According to Ox Security, more than 1,800 repositories containing stolen developer credentials have been created as part of the Mini Shai-Hulud attacks, and the Lightning PyPi package versions 2.6.2 and 2.6.3 and the intercom-client NPM package versions 7.0.4 and 7.0.5 were injected with the information stealer. Wiz notes that the intercom-php package was also compromised via Packagist, with intercom-php having over 20 million lifetime downloads.