{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/github.com/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pelicanplatform/pelican","github.com"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","webui","pelican"],"_cs_type":"advisory","_cs_vendors":["Pelican","GitHub"],"content_html":"\u003cp\u003eOn April 2nd, 2026, a privilege escalation vulnerability was identified in the Pelican Web User Interface (WebUI) affecting versions v7.21 to v7.24. This vulnerability allows any authenticated user via OAuth to gain admin privileges under specific configurations, including servers with \u003ccode\u003eServer.UIAdminUsers\u003c/code\u003e where listed users haven\u0026rsquo;t logged in or \u003ccode\u003eServer.AdminGroups\u003c/code\u003e with \u003ccode\u003eIssuer.GroupSource\u003c/code\u003e set to \u003ccode\u003einternal\u003c/code\u003e where an admin hasn\u0026rsquo;t logged in. Successful exploitation permits attackers to modify server configurations, create API tokens, and change admin passwords. The OSDF operations team mitigated this vulnerability for core services, but mitigation may be required for other caches and origins. There is currently no evidence this attack has been exploited in services managed by OSDF operators.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the Pelican WebUI by authenticating via OIDC.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid \u003ccode\u003eServer.UIAdminUsers\u003c/code\u003e username or \u003ccode\u003eServer.AdminGroups\u003c/code\u003e group name for an admin who has not yet logged into the WebUI.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious database records designed to grant admin privileges upon subsequent login.\u003c/li\u003e\n\u003cli\u003eThe attacker injects these records into the Pelican server\u0026rsquo;s SQLite database, potentially using API endpoints or other methods to interact with the database.\u003c/li\u003e\n\u003cli\u003eThe attacker logs out of the WebUI.\u003c/li\u003e\n\u003cli\u003eThe attacker logs back into the WebUI.\u003c/li\u003e\n\u003cli\u003eThe server grants the attacker admin privileges based on the manipulated database records.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies server configurations, creates persistent API tokens, or changes admin passwords.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability poses a significant risk to Pelican servers and the wider federation they support. A compromised Director service could have high federation-wide impact, enabling denial of service and redirection to malicious registries. Registry services also have high federation-wide impact, with attackers potentially poisoning namespaces. Compromised Origins could lead to high data exposure and tampering risks by enabling unauthorized writes and changing export paths. Caches present a medium data exposure risk, as attackers could expose cached protected data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRun the provided mitigation script (\u003ccode\u003emitigate-user-escalation.sh\u003c/code\u003e from \u003ca href=\"https://gist.github.com/jhiemstrawisc/8c4b2b3ec5cb2ca06537d9439dc16cc9\"\u003ehttps://gist.github.com/jhiemstrawisc/8c4b2b3ec5cb2ca06537d9439dc16cc9\u003c/a\u003e) to audit the database for signs of exploitation and block further exploitation.\u003c/li\u003e\n\u003cli\u003eUpgrade Pelican servers to a patched release (\u0026gt;=v7.21.5, \u0026gt;=v7.22.3, \u0026gt;=v7.23.3, \u0026gt;=v7.24.2).\u003c/li\u003e\n\u003cli\u003eIf unable to upgrade immediately, disable the vulnerable configuration by commenting out \u003ccode\u003eUIAdminUsers\u003c/code\u003e and \u003ccode\u003eAdminGroups\u003c/code\u003e settings in the \u003ccode\u003epelican.yaml\u003c/code\u003e configuration file.\u003c/li\u003e\n\u003cli\u003eMonitor process executions for the \u003ccode\u003emitigate-user-escalation.sh\u003c/code\u003e script and review associated user and API token changes. Deploy the provided Sigma rule to detect potential malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:24:50Z","date_published":"2026-05-04T21:24:50Z","id":"/briefs/2026-05-pelican-privesc/","summary":"A privilege escalation vulnerability in Pelican WebUI versions v7.21 to v7.24 allows authenticated users to gain admin privileges by manipulating database records, potentially leading to configuration modification, API token creation, and password changes.","title":"Pelican Web UI Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-pelican-privesc/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Cloud Application Programming (CAP)","Cloud MTA Build Tool","@cap-js/db-service","@cap-js/postgres","@cap-js/sqlite","github.com"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","sap","credential-theft"],"_cs_type":"threat","_cs_vendors":["SAP","GitHub"],"content_html":"\u003cp\u003eThe Mini Shai-Hulud campaign, active as of April 2026, targets SAP NPM packages used in the SAP Cloud Application Programming (CAP) ecosystem and SAP cloud deployment workflows. Four package versions were compromised: \u003ccode\u003embt 1.2.48\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service 2.10.1\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres 2.2.2\u003c/code\u003e, and \u003ccode\u003e@cap-js/sqlite 2.2.2\u003c/code\u003e. These packages, with over 500,000 combined weekly downloads, are essential for SAP\u0026rsquo;s Cloud MTA Build Tool and database services for CAP software. The attackers injected a preinstall script that fetches and executes a Bun binary, bypassing security monitoring. The malicious versions were available for a short window of 2-4 hours before being unpublished and superseded by clean versions. Wiz attributes this activity to TeamPCP due to a shared RSA public key used to encrypt the exfiltrated secrets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises an NPM token, possibly exposed through CircleCI.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious \u003ccode\u003epreinstall\u003c/code\u003e script into the targeted SAP NPM packages (\u003ccode\u003embt\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres\u003c/code\u003e, \u003ccode\u003e@cap-js/sqlite\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWhen a user installs the compromised package, the \u003ccode\u003epreinstall\u003c/code\u003e script executes.\u003c/li\u003e\n\u003cli\u003eThe script fetches a Bun ZIP archive from a GitHub repository.\u003c/li\u003e\n\u003cli\u003eThe script extracts the Bun archive and executes the included Bun binary.\u003c/li\u003e\n\u003cli\u003eThe Bun binary steals local credentials, GitHub and NPM tokens, AWS, Azure, GCP, GitHub Action, and Kubernetes secrets.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to public GitHub repositories with the description \u0026ldquo;A Mini Shai-Hulud has Appeared\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe malware propagates by modifying package tarballs, updating versions, repackaging them, and publishing them using stolen GitHub Actions tokens.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Mini Shai-Hulud attack poses a significant threat to developers and organizations using SAP CAP, a framework for S/4HANA extensions, Fiori app backends, MTAs, and integration flows. With over 500,000 weekly downloads of the affected packages, a large number of systems could have been affected. Successful exploitation allows attackers to steal sensitive credentials and cloud secrets, potentially leading to unauthorized access to critical SAP systems, cloud infrastructure, and source code repositories. This access could be used for further malicious activities, including data breaches, financial fraud, and supply chain compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eOrganizations using SAP Business Technology Platform workflows, SAP CAP, or MTA-based deployment pipelines should immediately check if they installed the malicious package versions (\u003ccode\u003embt 1.2.48\u003c/code\u003e, \u003ccode\u003e@cap-js/db-service 2.10.1\u003c/code\u003e, \u003ccode\u003e@cap-js/postgres 2.2.2\u003c/code\u003e, \u003ccode\u003e@cap-js/sqlite 2.2.2\u003c/code\u003e) during the exposure window.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring rules to detect connections to unusual GitHub repositories created to host stolen data. Monitor for repositories with the description \u0026ldquo;A Mini Shai-Hulud has Appeared\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for the execution of \u003ccode\u003ebun\u003c/code\u003e binaries in unusual or unexpected locations to identify systems where compromised packages were installed. Deploy the Sigma rule \u003ccode\u003eDetect Bun Execution From NPM Package\u003c/code\u003e to detect this behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T14:27:36Z","date_published":"2026-04-30T14:27:36Z","id":"/briefs/2026-04-mini-shai-hulud/","summary":"The Mini Shai-Hulud campaign injected malicious code into SAP NPM packages, targeting credentials and cloud secrets related to SAP Cloud Application Programming (CAP) and SAP cloud deployment workflows, exfiltrating data through public GitHub repositories.","title":"Mini Shai-Hulud Supply Chain Attack Targets SAP NPM Packages","url":"https://feed.craftedsignal.io/briefs/2026-04-mini-shai-hulud/"}],"language":"en","title":"CraftedSignal Threat Feed — Github.com","version":"https://jsonfeed.org/version/1.1"}