TeamPCP Hacking Group Launches Mini Shai-Hulud Attack Affecting 1,800 Developers
A supply chain attack known as the Mini Shai-Hulud has impacted over 1,800 developers by targeting the PyPi, NPM, and PHP ecosystems. The attack, attributed to the TeamPCP hacking group, was first identified on April 29. It involved malicious versions of four SAP NPM packages that delivered information-stealing malware. This malware collected sensitive data such as credentials, keys, and tokens from infected machines and published it to GitHub repositories. The attack also compromised the Lightning PyPi package and the intercom-client NPM package, which have a combined monthly download count of nearly 10 million. The campaign is a continuation of the Shai-Hulud attacks from late 2025, expanding to include the intercom-php package on Packagist. The attack infrastructure included a domain for data exfiltration and a dynamic fallback mechanism for command-and-control operations. 
