The cybercrime group TeamPCP has launched a widespread supply chain attack, injecting credential-stealing malware into popular SAP, Intercom, and Lightning software packages used by developers and cloud environments.

Key Points

• The "Mini Shai-Hulud" campaign targets npm and PyPI packages to steal sensitive credentials, including AWS, Azure, GCP, and Kubernetes tokens.
• Compromised SAP packages include mbt, @cap-js/db-service, @cap-js/postgres, and @cap-js/sqlite, which collectively see over 572,000 weekly downloads.
• The attack also affected the Intercom SDK (intercom-client) and the deep learning framework Lightning (versions 2.6.2 and 2.6.3).
• Malicious code executes automatically upon installation or import, exfiltrating stolen data through encrypted payloads posted to public GitHub repositories.
• Security firms Wiz and Socket attribute the campaign to TeamPCP, a group previously linked to attacks on Checkmarx, Bitwarden, and Aqua Security.

Why it Matters

These attacks demonstrate a significant escalation in supply chain threats by targeting the foundational tools used in CI/CD pipelines and cloud development. By compromising widely used SDKs and frameworks, attackers can gain unauthorized access to enterprise-level cloud secrets and developer environments on a massive scale.