Mini Shai-Hulud SAP Security Breach Impact Analysis
Over 1,800 Developers Affected by Mini Shai-Hulud Supply Chain Attack
A sophisticated supply chain attack attributed to the TeamPCP hacking group has compromised multiple prominent software development ecosystems, including PyPi, NPM, and PHP.
Campaign Details
- The attack, dubbed Mini Shai-Hulud, has resulted in the theft of sensitive developer credentials and the creation of over 1,800 repositories containing stolen authentication data.
- The attack began on April 29, when malicious versions of four SAP NPM packages were discovered to be delivering information-stealing malware and attempting to propagate to other packages.
Malware Details
- The malware collects credentials, keys, tokens, and other secrets from the infected machines and publishes the data to GitHub repositories containing the hardcoded description “A Mini Shai-Hulud has Appeared.”
- The malware implements a dedicated infrastructure for data exfiltration, utilizing the zero.masscan.cloud domain.
According to Wiz, “the Lightning and Intercom payload implemented a dedicated infrastructure for data exfiltration, utilizing the zero.masscan.cloud domain. The code also incorporates a dynamic fallback mechanism that searches GitHub for commits containing specific strings to retrieve embedded command-and-control (C&C) commands.”
Vulnerable Packages
- The Lightning Python package versions 2.6.2 and 2.6.3 and the intercom-client NPM package versions 7.0.4 and 7.0.5 were injected with the information stealer.
- The supply chain attack expanded to Packagist, through intercom-php version 5.0.2.
Recommendations
- Developers and system administrators should take immediate action to update their dependencies, remove compromised packages, and review their systems for potential signs of infection.
- Regularly monitoring package updates and maintaining up-to-date dependencies can help prevent similar attacks in the future.