TeamPCP Escalates Mini Shai-Hulud Campaign to SAP npm and PyTorch Lightning

AI relevance: The same threat actor targeting AI-adjacent developer tooling (AI coding assistants, ML frameworks like PyTorch Lightning) with automated credential-stealing malware that propagates through compromised developer tokens — directly threatening the supply chain of AI model training and deployment pipelines.

What happened

The TeamPCP threat group's "Mini Shai-Hulud" operation escalated rapidly across two days, compromising packages in both the npm and PyPI ecosystems:

• April 29 — SAP npm packages: Four SAP Cloud Application Programming (CAP) ecosystem packages were trojanized with malicious preinstall scripts: mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2. The entry point appears to be an npm token exposed to CircleCI pull-request builds on the SAP cloud-mta-build-tool repository.
• April 30 — PyPI (PyTorch Lightning): Versions 2.6.2 and 2.6.3 of the popular PyTorch Lightning framework (31,100+ GitHub stars) were published with a hidden _runtime directory containing a downloader and obfuscated JavaScript payload. The execution chain triggers automatically when the lightning module is imported — no additional user action required. PyPI administrators have quarantined the project.
• April 30 — intercom-client npm: Version 7.0.5 was published with the same malicious functionality as the SAP operation.

How the malware works

The campaign uses a multi-stage Bun-based payload shared across all compromised packages:

• A preinstall hook (npm) or import-time execution (PyPI) runs a loader script (setup.mjs / start.py)
• The loader downloads the Bun JavaScript runtime from GitHub Releases and executes an obfuscated 11.7 MB payload (execution.js / router_runtime.js)
• The payload harvests developer credentials: GitHub tokens, npm tokens, GitHub Actions secrets, AWS/Azure/GCP cloud secrets, Kubernetes tokens, and AI coding assistant credentials
• Stolen data is encrypted with AES-256-GCM and exfiltrated to public GitHub repositories created on the victim's own account, using descriptions like "A Mini Shai-Hulud has Appeared" or "Checkmarx Configuration Storage"
• The malware includes propagation logic to infect additional repositories using compromised tokens, including poisoning victim-owned GitHub repos if only GitHub App tokens (not PATs) are present
• The payload checks system locale for Russian language settings and self-terminates if detected — consistent with previous TeamPCP operations

AI ecosystem impact

PyTorch Lightning is a foundational ML training framework used across the AI/ML community. Compromised packages in this ecosystem are particularly dangerous because:

• ML researchers and engineers routinely install packages in environments with cloud GPU access and storage credentials
• The import-time execution on PyPI means the malware runs during normal import lightning — a common line in virtually every ML training script
• Wiz attributes the campaign to TeamPCP based on shared RSA keys, encoding routines, and region guardrails with their earlier Bitwarden CLI and Checkmarx supply-chain compromises
• More than 1,100 attacker-created GitHub exfiltration repositories have been identified so far

Why it matters

This is the third Shai-Hulud lineage operation (following Shai-Hulud 1.0 and 2.0), and it demonstrates a maturing supply-chain playbook: the attacker moves laterally across package ecosystems (npm → PyPI → npm again) within hours, using the same credential-stealing infrastructure. The targeting of ML frameworks like PyTorch Lightning specifically threatens AI model training infrastructure where developers routinely store cloud GPU credentials, training data access keys, and model registry tokens.

What to do

• Audit installed packages: Check for the compromised versions of mbt, @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite, lightning, and intercom-client
• Rotate credentials immediately: If any compromised versions were installed, rotate all GitHub tokens, npm tokens, cloud provider credentials, Kubernetes tokens, and GitHub Actions secrets on affected machines
• Check for exfiltration repos: Search your GitHub account for repositories with descriptions matching "A Mini Shai-Hulud has Appeared" or similar naming patterns
• Pin CI/CD token exposure: Review CircleCI, GitHub Actions, and other CI/CD configurations to ensure tokens are not exposed to pull-request builds
• Use package integrity tools: Deploy tools like Socket, Aikido, or OX Security to detect preinstall hooks and anomalous package behavior before installation

Sources

• The Hacker News — PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks
• Aikido Security — Mini Shai-Hulud Targets SAP npm Packages
• Wiz — Supply Chain Campaign Targets SAP npm Packages
• Socket — Lightning PyPI Package Compromised
• Onapsis — Mini Shai-Hulud SAP CAP Supply Chain Attack