Malware Campaign Targets Developer Environments in Global Credential Theft Operation
AI-generated from multiple sources. Verify before acting on this reporting.
A sophisticated credential-stealing malware campaign has compromised several SAP-related npm packages, targeting developer environments and continuous integration pipelines across the globe. The attack, identified as 'Mini Shai-Hulud,' was detected on April 29, 2026, and appears to be linked to a threat actor previously associated with TeamPCP operations.
Security researchers confirmed that the campaign successfully infiltrated the account of RoshniNaveenaS and compromised a static npm token belonging to 'cloudmtabot.' The malware is designed to harvest local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud access keys from major providers including Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Kubernetes systems.
The operation specifically targets systems configured with a Russian locale, suggesting a focused effort on specific regional developer communities or infrastructure. The compromised npm packages serve as a distribution mechanism, allowing the malicious code to execute within the build and deployment processes of unsuspecting organizations.
The attack vector exploits the trust inherent in package management systems. When developers install the compromised packages, the malware activates, scanning for stored credentials and authentication tokens. It then exfiltrates this data to command-and-control servers, potentially granting attackers access to sensitive code repositories, cloud infrastructure, and production environments.
This incident marks a significant escalation in supply chain attacks against the software development ecosystem. Unlike previous attacks that targeted end-user systems, this campaign focuses on the tools and infrastructure used to build and deploy software. The compromise of CI/CD pipelines means that any application built using the infected packages could be tainted, potentially spreading the malware further down the supply chain.
The threat actor's methodology mirrors techniques seen in prior TeamPCP operations, including the use of static tokens and targeted account compromises. However, the scope of this campaign is broader, encompassing multiple cloud providers and container orchestration platforms. The use of the 'Mini Shui-Hulud' moniker suggests a possible connection to previous operations, though the exact relationship remains unconfirmed.
Organizations are urged to audit their npm dependencies and rotate all compromised credentials immediately. Security teams should monitor for unusual activity in developer environments, particularly those with Russian locale settings. The incident highlights the growing vulnerability of software supply chains and the increasing sophistication of threat actors targeting the development lifecycle.
As of now, the full extent of the compromise remains unknown. It is unclear how many organizations have been affected or whether the stolen credentials have been used for further intrusions. The threat actor's ultimate objectives beyond credential harvesting are also not yet clear. Security experts continue to investigate the scope of the attack and the potential for lateral movement within compromised networks.