{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-secrets-manager/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TeamPCP"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["router","Node Package Manager (npm)","Bitwarden CLI","Commerce Cloud","S/4HANA","AWS Secrets Manager","IAM","ESC task","Kubernetes","HashiCorp Vault","Claude Code","VS Code"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","supply-chain-attack","npm","pypi","credential-theft","shai-hulud"],"_cs_type":"threat","_cs_vendors":["TanStack","Mistral AI","Guardrails AI","UiPath","OpenSearch","Bitwarden","SAP","GitHub","npm","SafeDep","Snyk"],"content_html":"\u003cp\u003eA large-scale software supply-chain attack involving the \u0026ldquo;Shai-Hulud\u0026rdquo; malware has compromised hundreds of packages across open-source software ecosystems, including npm, PyPI, and Composer. The attack, attributed to the TeamPCP threat group, began by compromising dozens of TanStack and Mistral AI packages and quickly extended to other popular projects, including Guardrails AI, UiPath, OpenSearch, Bitwarden CLI, and SAP packages. The attacker hijacked valid OpenID Connect (OIDC) tokens to publish malicious package versions with verifiable provenance attestation (SLSA Build Level 3) via legitimate CI/CD pipelines. The latest attack wave occurred recently, with the threat actor publishing multiple malicious packages in the TanStack namespaces on the Node Package Manager (npm), and then spreading to other projects using stolen CI/CD credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises legitimate CI/CD pipelines, potentially by exploiting vulnerabilities such as a risky \u0026lsquo;‘pull_request-target’\u0026rsquo; workflow, GitHub Actions cache poisoning, and OIDC token theft from runner memory.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to valid OpenID Connect (OIDC) tokens and GitHub/npm credentials.\u003c/li\u003e\n\u003cli\u003eUsing the compromised credentials, the attacker publishes malicious package versions with verifiable provenance attestation (SLSA Build Level 3) on package repositories such as npm, PyPI, and Composer.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies package tarballs to inject malicious payloads into popular projects.\u003c/li\u003e\n\u003cli\u003eDevelopers unknowingly download and install the compromised packages, which contain credential-stealing malware.\u003c/li\u003e\n\u003cli\u003eThe malware reads GitHub Actions process memory to collect credentials from various file paths associated with cloud providers, cryptocurrency tokens, and messaging apps.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates stolen developer secrets, including GitHub tokens, npm tokens, AWS credentials, Vault tokens, and Kubernetes service accounts, via the Session P2P network.\u003c/li\u003e\n\u003cli\u003eThe malware writes itself into Claude Code hooks and VS Code auto-run tasks for persistence, ensuring it survives uninstallation of the malicious packages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eHundreds of packages across npm, PyPI, and Composer have been compromised. Over 160 compromised packages were found on npm by Endor Labs, Aikido recorded 373 malicious package-version entries, and Socket tracked 416 compromised package artifacts. Developers who downloaded affected package versions should assume their credentials were exposed. Successful attacks can lead to the theft of sensitive credentials, enabling further unauthorized access and potentially impacting cloud infrastructure, source code repositories, and sensitive data stores.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eCheck for affected package versions in your projects, as identified in reports from security vendors [references].\u003c/li\u003e\n\u003cli\u003eRotate all potentially exposed credentials (GitHub tokens, npm tokens, AWS credentials, Vault tokens, Kubernetes service accounts, and CI/CD secrets) as recommended by researchers.\u003c/li\u003e\n\u003cli\u003eAudit IDE directories for malicious files surviving npm install (e.g., router_runtime.js or setup.mjs).\u003c/li\u003e\n\u003cli\u003eBlock the threat actor\u0026rsquo;s command-and-control infrastructure (api.masscan.cloud, git-tanstack.com, and *.getsession.org) at the DNS or proxy level.\u003c/li\u003e\n\u003cli\u003eImplement behavioral analysis at install time, along with signature-based checks for malicious packages, as suggested by Snyk researchers.\u003c/li\u003e\n\u003cli\u003eConsider enforcing lockfile-only installs to prevent auto/silent package updates to mitigate the risk from similar attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T11:30:55Z","date_published":"2026-05-12T11:30:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-shai-hulud-supply-chain/","summary":"The Shai-Hulud malware was used in a large-scale software supply-chain attack compromising hundreds of packages across open-source software ecosystems by compromising developer secrets and CI/CD pipelines.","title":"Shai-Hulud Malware Used in Supply Chain Attack via Compromised npm Packages","url":"https://feed.craftedsignal.io/briefs/2026-05-shai-hulud-supply-chain/"}],"language":"en","title":"CraftedSignal Threat Feed — AWS Secrets Manager","version":"https://jsonfeed.org/version/1.1"}