/
Navigation
Chronicles
Browse all articles
Explore
Semantic exploration
Research
Entity momentum
Nexus
Correlations & relationships
Story Arc
Topic evolution
Drift Map
Semantic trajectory animation
Posts
Analysis & commentary
Pulse API
Tech news intelligence API
Browse
Entities
Companies, people, products, technologies
Domains
Browse by publication source
Handles
Browse by social media handle
Detection
Concept Search
Semantic similarity search
High Impact Stories
Top coverage by position
Sentiment Analysis
Positive/negative coverage
Anomaly Detection
Unusual coverage patterns
Analysis
Rivalry Report
Compare two entities head-to-head
Semantic Pivots
Narrative discontinuities
Crisis Response
Event recovery patterns
Connected
Search: /
Command: ⌘K
Embeddings: large
TEXXR
TEXXR

Chronicles

The story behind the story

days · browse · Enter similar · o open

Experts say supply chain attacks compromised SAP and Intercom npm packages, plus the PyPI package Lightning, in a campaign that calls itself Mini Shai-Hulud

The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package.

The Register Jessica Lyons

Related Coverage

Discussion

  • @vxunderground @vxunderground on x
    [image]
  • @mattjay Matt Johansen on x
    If your team touches npm or PyPi - literally number 1 priority should be figuring out your playbook of defenses and response to these supply chain attacks. The threat actors aren't slowing down and they're SCREAMING their MO from the rooftops. Lock it down.
  • @moshetov Moshe Siman Tov Bustan on x
    🚨 Breaking: SAP NPM Packages Breached 🚨 SAP NPM packages were hijacked to deliver the next-gen of Shai-Hulud malware, dubbed “A Mini Shai-Hulud has appeared” We found over 1,200 public repositories with stolen credentials on GitHub, showing that the attack was successful and [ima…
  • @aikidosecurity @aikidosecurity on x
    🚨 Popular python package lightning was compromised an hour ago. It's already quarantined by pypi. What we know so far: - Versions 2.6.2 and 2.6.3 are compromised - Looks connected to Mini shai hulud stealer/worm attack on SAP and Bitwarden More details soon.
  • @socketsecurity @socketsecurity on x
    Update: Socket confirmed the Intercom compromise began with a local install of pyannote-audio, which pulled in compromised PyPI lightning as a transitive dependency. 🤯 That single install kicked off a chain of compromises: PyPI lightning → npm intercom-client → Packagist
  • @_johnhammond John Hammond on x
    i should probably add to the noise and earn internet points like everybody else screaming about copy dot fail or mini shai hulud or cpanel hacks or github rce or password manager pwnage or codex goblins or zomg ai or whatever else is ‼️🚨BREAKING🚨‼️today but i'm just tired man
  • @feross @feross on x
    🚨 Active supply chain attack hitting SAP's CAP ecosystem on npm. Four packages tied to SAP's Cloud Application Programming Model just shipped versions with a new preinstall script that downloads and executes a platform-specific binary. These packages never required this before [i…
  • @feross @feross on x
    🚨 Two major supply chain attacks today, hitting both PyPI and npm simultaneously. Socket detected and confirmed malicious code in lightning versions 2.6.2 and 2.6.3 on PyPI, and intercom-client version 7.0.4 on npm. Both attacks use nearly identical tooling. Both are live right […
  • @wiz_io @wiz_io on x
    📢 Supply chain update: npm install may hide malware. “mini Shai Hulud” targets SAP npm packages via preinstall scripts stealing CI/CD + cloud creds (AWS/Azure/GCP/K8s). Check, rotate creds, review CI. https://www.wiz.io/...
  • @feross @feross on x
    Update (April 30, 19:46:2): Intercom has confirmed to Socket that the root cause of the compromise was a local install of pyannote-audio, which introduced the compromised lightning package as a transitive dependency. That finding connects the attack chain across three
  • @socketsecurity @socketsecurity on x
    🚨 We've confirmed the intercom-client@7.0.4 was compromised in the ongoing Mini Shai-Hulud worm attack. The npm package includes a malicious preinstall hook that downloads and executes an unverified Bun binary, then runs an 11.7 MB obfuscated payload designed to steal [image]
  • @naderman Nils Adermann on x
    Thanks to @SocketSecurity for quickly alerting us, so we could take down malicious intercom packages. First time we saw malware mimicking post install scripts not available in PHP with a plugin. Fortunately requires user input to enable a plugin, so no automatic execution in CI.
  • @socketsecurity @socketsecurity on x
    🚨 BREAKING: Mini Shai-Hulud has spread to Packagist. We detected a malicious intercom/intercom-php@5.0.2 package artifact tied to this campaign. The compromised #PHP package used Composer plugin execution to run during install/update, download Bun, and launch an obfuscated [image…
  • @kuizinas @kuizinas on x
    There is a surge of supply chain attacks (and it is only going to get worse) If you are using pnpm, take these steps to protect yourself: * set minimumReleaseAge to 7 days * set blockExoticSubdeps to true * configure onlyBuiltDependencies npm / yarn have similar settings
  • @aikidosecurity @aikidosecurity on x
    A new npm supply-chain compromise is targeting SAP developer workflows. Mini Shai-Hulud follows a familiar pattern, but with a smaller package set and a serious secret-stealing payload built to hit developer machines and CI/CD environments. Affected packages we're tracking: - [im…
  • @feross @feross on bluesky
    🚨 Supply chain attack: SAP CAP and Cloud MTA npm packages compromised to download and execute unverified binaries.  —  Affected versions:  —  → mbt@1.2.48  —  → @cap-js/db-service@2.10.1  —  → @cap-js/postgres@2.2.2  —  → @cap-js/sqlite@2.2.2 …