Attack Chain

1. Initial Compromise: Attackers compromise legitimate npm packages, such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, by injecting malicious code.
2. Malicious Code Injection: Compromised packages receive two new files: setup.mjs and execution.js, along with a modified package.json containing a “preinstall” hook.
3. Execution of setup.mjs: During the npm install process, the preinstall hook executes setup.mjs, which detects the host OS and architecture.
4. Bun Runtime Download and Execution: setup.mjs downloads the Bun JavaScript runtime (v1.3.13) from GitHub releases and extracts it to a temporary directory.
5. Execution of execution.js: The Bun runtime executes execution.js, a large (11.7 MB) obfuscated credential stealer and propagation framework.
6. Credential Harvesting: execution.js harvests GitHub tokens, npm tokens, environment variables, GitHub Actions secrets, AWS STS identity, Azure Key Vault secrets, GCP Secret Manager values, and Kubernetes service account tokens. It also targets Claude and MCP configuration files and Electrum wallets.
7. Data Exfiltration: The collected data is compressed, encrypted, and exfiltrated to freshly created public GitHub repositories with randomized names and descriptions.
8. Propagation: The malware searches for commits containing the keyword “OhNoWhatsGoingOnWithGitHub,” decodes matching commit messages as a token dead-drop, recovers stolen GitHub tokens, and uses them to spread the malware to other packages.

Impact

Compromised npm packages can lead to the theft of sensitive credentials, including cloud provider credentials, GitHub tokens, and CI/CD secrets. Successful attacks can result in unauthorized access to cloud infrastructure, code repositories, and deployment pipelines. The Mini Shai-Hulud campaign targeted packages with approximately 570,000 weekly downloads, potentially impacting a large number of SAP developers and enterprise environments. The attackers use stolen credentials to further propagate the malware, increasing the scale and scope of the compromise.

Recommendation

• Rotate npm tokens and GitHub Personal Access Tokens (PATs) immediately if any affected packages were installed (refer to the list of affected packages in the IOC table).
• Monitor npm install processes for unexpected execution of node setup.mjs (see Attack Chain).
• Implement the Sigma rule “Detect Suspicious Bun Process Execution” to identify potential execution of the Bun runtime from temporary directories.
• Monitor network connections for unusual processes connecting to api.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub (see IOCs) to detect potential C2 activity.
• Deploy the Sigma rule “Detect Github Commit By Claude Email” to identify commits authored with the email claude@users.noreply.github.com to detect malicious commits.

Attack Chain

1. The attacker compromises an NPM token, possibly exposed through CircleCI.
2. The attacker injects a malicious preinstall script into the targeted SAP NPM packages (mbt, @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite).
3. When a user installs the compromised package, the preinstall script executes.
4. The script fetches a Bun ZIP archive from a GitHub repository.
5. The script extracts the Bun archive and executes the included Bun binary.
6. The Bun binary steals local credentials, GitHub and NPM tokens, AWS, Azure, GCP, GitHub Action, and Kubernetes secrets.
7. The stolen data is exfiltrated to public GitHub repositories with the description “A Mini Shai-Hulud has Appeared”.
8. The malware propagates by modifying package tarballs, updating versions, repackaging them, and publishing them using stolen GitHub Actions tokens.

Impact

The Mini Shai-Hulud attack poses a significant threat to developers and organizations using SAP CAP, a framework for S/4HANA extensions, Fiori app backends, MTAs, and integration flows. With over 500,000 weekly downloads of the affected packages, a large number of systems could have been affected. Successful exploitation allows attackers to steal sensitive credentials and cloud secrets, potentially leading to unauthorized access to critical SAP systems, cloud infrastructure, and source code repositories. This access could be used for further malicious activities, including data breaches, financial fraud, and supply chain compromise.

Recommendation

• Organizations using SAP Business Technology Platform workflows, SAP CAP, or MTA-based deployment pipelines should immediately check if they installed the malicious package versions (mbt 1.2.48, @cap-js/db-service 2.10.1, @cap-js/postgres 2.2.2, @cap-js/sqlite 2.2.2) during the exposure window.
• Implement network monitoring rules to detect connections to unusual GitHub repositories created to host stolen data. Monitor for repositories with the description “A Mini Shai-Hulud has Appeared”.
• Monitor process execution for the execution of bun binaries in unusual or unexpected locations to identify systems where compromised packages were installed. Deploy the Sigma rule Detect Bun Execution From NPM Package to detect this behavior.

Attack Chain

1. Initial Compromise: Threat actors compromise official SAP npm packages (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, mbt). The exact method of initial compromise is currently unknown, but a misconfigured CircleCI job is suspected.
2. Package Modification: The compromised npm packages are modified to include a malicious ‘preinstall’ script.
3. Installation Trigger: When developers install the compromised packages using npm install, the ‘preinstall’ script executes automatically.
4. Payload Download: The ‘preinstall’ script launches a loader named setup.mjs that downloads the Bun JavaScript runtime from GitHub.
5. Execution of Information Stealer: The Bun runtime is used to execute a heavily obfuscated execution.js payload, which acts as an information stealer.
6. Credential Theft: The information stealer targets a wide variety of credentials, including npm and GitHub authentication tokens, SSH keys, cloud credentials for AWS, Azure, and Google Cloud, Kubernetes configurations and secrets, and CI/CD pipeline secrets and environment variables. It also attempts to extract secrets directly from the CI runner’s memory by scanning /proc/<pid>/maps and /proc/<pid>/mem.
7. Data Exfiltration: The stolen data is encrypted and uploaded to public GitHub repositories under the victim’s account. These repositories include the description “A Mini Shai-Hulud has Appeared”.
8. Lateral Movement: The malware searches GitHub commits for the string OhNoWhatsGoingOnWithGitHub:<base64>, decoding matching commit messages into GitHub tokens to gain further access and propagate to other packages and repositories, injecting the same malicious code.

Impact

This supply chain attack can lead to the theft of sensitive credentials, allowing attackers to gain unauthorized access to internal systems, cloud infrastructure, and source code repositories. The compromised credentials and secrets can be used for lateral movement within the victim’s network, data exfiltration, and further supply chain attacks. The use of stolen credentials to modify other packages increases the scope of the attack, potentially impacting a large number of developers and organizations using the compromised SAP packages.

Recommendation

• Monitor npm package installations for the presence of preinstall scripts executing unusual processes, such as the execution of setup.mjs or the download of the Bun JavaScript runtime from GitHub; implement the Detect Suspicious NPM Package Preinstall Script Sigma rule.
• Implement the Detect GitHub Repository Creation with "A Mini Shai-Hulud has Appeared" Description Sigma rule to detect exfiltration attempts via public GitHub repositories.
• Audit CI/CD pipeline configurations and restrict access to sensitive credentials and secrets to prevent exposure via misconfigured jobs; remediate the reported CircleCI misconfiguration.
• Monitor process memory for credential harvesting activity targeting Runner processes in CI/CD environments, specifically looking for reads of /proc/<pid>/maps and /proc/<pid>/mem as outlined in the overview.
• Deprecate and remove the compromised packages @cap-js/sqlite (v2.2.2), @cap-js/postgres (v2.2.2), @cap-js/db-service (v2.10.1), and mbt (v1.2.48) from your development and CI/CD environments.

Attack Chain

1. Initial Compromise: TeamPCP compromises GitHub repositories of open-source projects like Trivy.
2. Code Injection: Malicious code is injected into the project’s codebase within the compromised GitHub repository.
3. Package Build and Distribution: The compromised code is included in a new version of the software package during the build process.
4. Distribution via Package Managers: The malicious package is distributed through package managers like npm, becoming available for download by developers.
5. Downstream Consumption: Developers unknowingly download and integrate the compromised package into their applications.
6. Execution in Downstream Environments: The malicious code executes within the developers’ applications and environments.
7. Lateral Movement/Data Exfiltration/Ransomware: The injected code performs malicious actions such as data exfiltration or establishing a reverse shell for lateral movement.
8. Impact: The attacker achieves their objectives, such as data theft, system compromise, or ransomware deployment across numerous downstream victims.

Impact

The compromise of widely used libraries and frameworks like Axios and Trivy can have a vast impact, potentially affecting millions of users and organizations. The Axios library alone receives 100 million downloads weekly. The successful exploitation of the React2Shell vulnerability demonstrates the speed at which these attacks can reach massive scale. The resulting damage can range from data breaches and system compromise to ransomware deployment, affecting organizations across various sectors. The integration of these utilities often makes full cataloging and remediation challenging, leading to prolonged exposure and increased risk.

Recommendation

• Secure CI/CD pipelines to prevent compromises from occurring, addressing the attack vector used by TeamPCP.
• Implement robust logging to monitor for suspicious activity related to compromised packages and aid in incident response.
• Organizations must inventory the software libraries and frameworks they employ and rapidly implement patching and other mitigations when security incidents are reported.
• Implement robust multi-factor authentication (MFA) to protect developer accounts on platforms like GitHub.

Attack Chain

1. The attacker gains unauthorized access to PyPI credentials for the telnyx package.
2. The attacker uploads malicious versions 4.87.1 and 4.87.2 of the telnyx package to PyPI, bypassing the legitimate GitHub repository.
3. When a user installs or upgrades to the malicious telnyx package, the injected malware within telnyx/_client.py executes upon importing the library (import telnyx).
4. On Linux/macOS systems, the malware spawns a detached subprocess to ensure persistence and downloads a payload hidden inside a WAV audio file (ringtone.wav) from the C2 server at http://83.142.209.203:8080/.
5. The downloaded payload harvests sensitive credentials, including SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, Docker configurations, .env files, database credentials, and crypto wallets.
6. If Kubernetes access is detected, the malware deploys privileged pods to all nodes for lateral movement within the Kubernetes cluster.
7. The collected data is encrypted using AES-256-CBC and RSA-4096, then exfiltrated to the C2 server, identified by the header X-Filename: tpcp.tar.gz.
8. On Windows, a binary payload hidden in hangup.wav is downloaded from http://83.142.209.203:8080/, dropped as msbuild.exe in the Startup folder for persistence, and executed with a hidden window, polling the endpoint http://83.142.209.203:8080/raw.

Impact

The compromise of the telnyx PyPI package poses a significant risk to developers and organizations that use the library. Successful exploitation leads to the theft of sensitive credentials, potentially granting the attacker unauthorized access to critical infrastructure, cloud resources, and sensitive data. TeamPCP’s previous campaign against LiteLLM and the similarities in this attack suggest a pattern of targeting open-source projects to infiltrate developer environments and steal secrets. The impact includes potential data breaches, financial losses, and reputational damage. The exposure window was approximately 6 hours during which vulnerable versions were available.

Recommendation

• Immediately check for the presence of malicious telnyx package versions (4.87.1 or 4.87.2) in your environment using the provided commands and uninstall them (pip uninstall telnyx).
• Due to the credential-stealing nature of the malware, rotate all potentially exposed secrets, including SSH keys, cloud provider credentials (AWS, GCP, Azure), Kubernetes tokens, Docker registry credentials, database passwords, API keys in .env files, and Telnyx API keys.
• Check for persistence mechanisms used by the malware, specifically the audiomon service and associated files on Linux/macOS, and the msbuild.exe executable in the Startup folder on Windows, based on the file paths provided in the “Filesystem” section.
• Block the identified C2 IP address (83.142.209.203) and payload URLs (http://83.142.209.203:8080/ringtone.wav, http://83.142.209.203:8080/hangup.wav, http://83.142.209.203:8080/raw) at your network perimeter.
• Deploy the following Sigma rule to detect the creation of msbuild.exe in the Startup folder.
• Pin the telnyx package to the safe version 4.87.0 in your project dependencies to prevent future installations of compromised versions.

Attack Chain

1. TeamPCP gains unauthorized access to the Telnyx PyPI account, likely through credential theft.
2. Malicious versions 4.87.1 and 4.87.2 of the Telnyx package are published to PyPI.
3. When a developer installs the compromised Telnyx package, the telnyx/_client.py file is executed upon import.
4. On Linux and macOS, a detached process is spawned to download a second-stage payload disguised as a WAV audio file (ringtone.wav) from a remote command-and-control (C2) server.
5. Steganography is used to hide malicious code within the WAV file’s data frames.
6. The embedded payload is extracted using an XOR-based decryption routine and executed in memory.
7. The malware harvests sensitive data, including SSH keys, credentials, cloud tokens, cryptocurrency wallets, and environment variables.
8. If Kubernetes is present, the malware enumerates cluster secrets and deploys privileged pods to access underlying host systems. On Windows, a different WAV file (hangup.wav) is downloaded that extracts and saves an executable named msbuild.exe to the startup folder for persistence.

Impact

This supply chain attack could result in widespread compromise of systems utilizing the Telnyx Python SDK. Over 740,000 monthly downloads indicate a large potential victim pool. Stolen credentials and secrets can lead to unauthorized access to cloud resources, sensitive data exfiltration, and further lateral movement within compromised networks. For systems running Kubernetes, the attacker could gain control over the entire cluster, leading to significant disruption and data loss. Developers who installed the malicious packages are advised to consider their systems fully compromised and rotate all secrets as soon as possible.

Recommendation

• Identify and remove Telnyx versions 4.87.1 and 4.87.2 from all environments, reverting to version 4.87.0 as recommended by the vendor.
• Monitor network connections for processes spawned by Python interpreters (python.exe, python3) attempting to download files with the .wav extension, using the “Detect Suspicious Python WAV Download” Sigma rule provided below.
• Implement stricter controls and multi-factor authentication for PyPI accounts used to publish packages to prevent similar supply chain attacks.
• Deploy the “Detect msbuild.exe in Startup Folder” Sigma rule to identify potential persistence attempts on Windows systems.
• Rotate all secrets and credentials on any system that has imported the malicious Telnyx package.

Attack Chain

1. Initial compromise of a developer’s machine or CI/CD environment via an unspecified initial access vector.
2. Deployment of an infostealer binary onto the compromised system.
3. The infostealer scans the local file system for .env files containing sensitive credentials.
4. The infostealer targets CI/CD environment variables to extract API keys, tokens, and other secrets.
5. The infostealer searches for cloud tokens, potentially targeting AWS credentials, Azure service principals, or GCP service account keys.
6. Extracted credentials are used to gain unauthorized access to GitHub accounts and CI/CD pipelines.
7. Attackers inject malicious code or dependencies into the targeted projects, potentially leading to supply chain contamination.
8. Compromised code is distributed to downstream users of Trivy, KICS, LiteLLM, and other impacted projects.

Impact

The TeamPCP supply chain attack has impacted multiple companies and projects, including Trivy, KICS, and LiteLLM. The compromise of CI/CD pipelines and GitHub accounts allows attackers to inject malicious code into software projects, potentially affecting thousands of users. This can lead to data breaches, malware infections, and erosion of trust in the affected software. The exact number of victims is unknown, but the impact is significant due to the widespread use of the compromised projects in the cloud security and development sectors.

Recommendation

• Implement multi-factor authentication (MFA) on all GitHub accounts and CI/CD pipelines to prevent unauthorized access.
• Rotate API keys and tokens regularly, especially those used in CI/CD environments, to minimize the impact of credential theft.
• Implement secrets scanning in CI/CD pipelines to prevent accidental exposure of sensitive information in code repositories.
• Deploy the Sigma rule “Detect Infostealer Activity in CI/CD Environments” to identify suspicious processes accessing environment variables.
• Monitor file system access for unusual reads of .env files, using the “Detect .env File Access” Sigma rule.
• Implement network monitoring to detect anomalous connections originating from CI/CD servers or developer workstations.

Attack Chain

Due to the limited information, the attack chain below is based on a typical supply chain compromise scenario:

1. TeamPCP gains unauthorized access to the KICS GitHub Action repository or its build process.
2. The attacker injects malicious code into the KICS GitHub Action. This code could be designed to exfiltrate sensitive information, modify infrastructure configurations, or establish a backdoor.
3. A new version of the KICS GitHub Action, containing the malicious code, is released and made available on the GitHub Marketplace.
4. Organizations using the KICS GitHub Action automatically update to the compromised version through their CI/CD pipelines.
5. The malicious code executes within the CI/CD environments of victim organizations, potentially gaining access to environment variables, secrets, and other sensitive data.
6. The malicious code exfiltrates collected data to attacker-controlled infrastructure.
7. The attacker uses the exfiltrated data to further compromise the victim’s infrastructure or gain unauthorized access to their systems.

Impact

The compromise of the KICS GitHub Action represents a significant supply chain risk. Organizations utilizing the compromised action in their CI/CD pipelines could have experienced exfiltration of sensitive data, including API keys, credentials, and infrastructure configurations. Successful exploitation could lead to unauthorized access to cloud resources, data breaches, and disruption of services. While the exact number of affected organizations remains unclear, the widespread use of KICS suggests a potentially large impact.

Recommendation

• Investigate CI/CD pipeline logs for usage of the compromised KICS GitHub Action version (refer to Overview).
• Audit GitHub Action dependencies in CI/CD pipelines to identify and remove any unauthorized or suspicious actions (refer to Overview).
• Monitor network traffic originating from CI/CD environments for connections to unusual or malicious destinations (based on potential exfiltration in Attack Chain).
• Implement stricter access controls and monitoring for GitHub Action repositories and build processes to prevent future supply chain attacks (refer to Overview).
• Deploy the Sigma rule detecting suspicious script execution within GitHub Action workflows to identify potential malicious activity (see rule below).

Attack Chain

1. Initial compromise of a node within the Kubernetes cluster, possibly via exploiting a known vulnerability or through compromised credentials.
2. CanisterWorm gains elevated privileges within the compromised node, potentially using techniques such as privilege escalation exploits.
3. Discovery of other nodes and resources within the Kubernetes cluster through reconnaissance activities, leveraging the Kubernetes API.
4. Lateral movement to other nodes using stolen credentials or by exploiting trust relationships between nodes.
5. Execution of CanisterWorm on each targeted node, initiating the data wiping process.
6. Overwriting critical system files and data volumes within the containers and pods.
7. Corruption of Kubernetes configuration files, leading to instability and potential cluster failure.
8. Final stage involves the complete destruction of data within the Kubernetes environment, rendering the affected systems unusable.

Impact

The successful deployment of CanisterWorm results in widespread data loss and service disruption within the targeted Kubernetes environments. This can lead to significant financial losses, reputational damage, and operational downtime. Given the targeting of Iranian infrastructure, this attack has the potential to impact critical services and government operations. The complete destruction of data necessitates extensive recovery efforts and may result in permanent data loss if backups are not available or are also compromised.

Recommendation

• Monitor Kubernetes API server logs for suspicious activity, particularly attempts to list or access sensitive resources to detect reconnaissance (reference: Attack Chain step 3).
• Implement network segmentation and strict access controls within the Kubernetes cluster to limit lateral movement (reference: Attack Chain step 4).
• Deploy the Sigma rule Detect Suspicious Kubernetes Pod Deletion to identify potential wipe attempts.
• Review and harden Kubernetes security configurations, including RBAC (Role-Based Access Control) policies, to prevent unauthorized access (reference: Attack Chain step 2).

Attack Chain

1. Initial Compromise: TeamPCP gains unauthorized access to Trivy infrastructure, potentially exploiting a vulnerability or using stolen credentials.
2. Malware Injection: The attackers inject malicious code into a legitimate Trivy package or create a new package containing the CanisterWorm payload.
3. NPM Deployment: TeamPCP publishes the compromised or new package to the NPM registry, making it available for download by unsuspecting users.
4. Package Installation: Developers unknowingly download and install the malicious package through NPM, integrating CanisterWorm into their projects.
5. Worm Propagation: CanisterWorm begins to propagate itself by infecting other NPM packages and dependencies within the compromised project.
6. Lateral Movement: The worm replicates and spreads to other systems and projects that depend on the infected packages.
7. Persistence: The malware establishes persistence within infected systems to maintain its presence and continue spreading.
8. Payload Delivery: CanisterWorm executes its malicious payload, which could include data theft, code injection, or other harmful activities.

Impact

The deployment of CanisterWorm on NPM poses a significant threat to the software supply chain. Successful infection can lead to widespread compromise of applications and systems that rely on NPM packages. The specific number of victims and the full extent of damage is currently unknown, but the incident has the potential to affect numerous organizations across various sectors that utilize NPM and Trivy in their development processes. Successful exploitation could result in data breaches, service disruptions, and reputational damage.

Recommendation

• Monitor NPM package installations for suspicious activity and unexpected dependencies to identify potential CanisterWorm infections.
• Implement integrity checks for NPM packages to verify their authenticity and prevent the installation of tampered packages.
• Analyze process creation events for suspicious processes originating from NPM-related processes using the provided Sigma rules.
• Regularly scan systems for known malware signatures to detect CanisterWorm and other potential threats.
• Review and strengthen the security of your software supply chain to mitigate the risk of future attacks.