Back to Intelligence

TeamPCP Mini Shai-Hulud: Detection and Remediation for npm and PyPI Supply Chain Worm

SA
Security Arsenal Team
May 22, 2026
6 min read

Between September 2025 and May 2026, the threat actor group TeamPCP executed a sophisticated supply chain attack dubbed "Mini Shai-Hulud." This campaign represents a paradigm shift in open-source security threats, utilizing a self-propagating worm to compromise over 170 packages across the npm and PyPI ecosystems.

What makes this incident critical for defenders is not just the scale—breaching major AI firms like OpenAI and Mistral AI—but the technical methodology. TeamPCP successfully bypassed SLSA Build Level 3 provenance attestations, shattering the assumption that high-level supply chain integrity guarantees protect against malicious code injection.

If your environment has installed any affected packages during this window, you must assume full compromise. The worm is designed to aggressively harvest developer and cloud credentials, posing an immediate risk of lateral movement and data exfiltration.

Technical Analysis

Affected Platforms and Ecosystems

  • npm (Node Package Manager): JavaScript/Node.js environments.
  • PyPI (Python Package Index): Python environments.

Threat Overview: Mini Shai-Hulud

  • Type: Self-propagating worm / Supply Chain Malware.
  • Actor: TeamPCP.
  • Capabilities: Credential theft (developer tokens, cloud keys), self-propagation, environment reconnaissance.

Attack Chain and Methodology

  1. Initial Compromise: TeamPCP compromised legitimate developer accounts or maintainer credentials to publish malicious versions of popular packages.
  2. Provenance Bypass: In a critical first, the attackers manipulated the build process to generate valid SLSA Build Level 3 provenance attestations for compromised packages. This means standard integrity checks that verify "who built it" and "how" passed validation, allowing the malware to slip past modern supply chain defenses.
  3. Execution: Upon installation (npm install or pip install), the package scripts execute malicious code.
  4. Credential Harvesting: The malware scans for and exfiltrates:
    • Cloud provider credentials (AWS, Azure, GCP).
    • Source code repository tokens (GitHub, GitLab, Bitbucket).
    • Container registry secrets.
  5. Propagation: The worm utilizes the stolen credentials to authenticate into other repositories and package registries, publishing new compromised packages and perpetuating the cycle.

Exploitation Status

  • Status: Confirmed Active Exploitation (September 2025 – May 2026).
  • Impact: Over 170 confirmed malicious packages; confirmed breaches at OpenAI and Mistral AI.

Detection & Response

Defenders must move beyond standard signature-based scanning, as the valid SLSA attestations may deceive automated dependency scanners. Detection relies heavily on behavioral analysis of the package installation processes and runtime activities of build agents.

Sigma Rules

The following rules target the behavioral indicators of the Mini Shai-Hulud worm, specifically focusing on package managers spawning reconnaissance tools or accessing credential files.

YAML
---
title: Suspicious Child Process of Package Managers - Mini Shai-Hulud
id: 8f4c2d1a-5b6e-4f8d-9a1b-2c3d4e5f6a7b
status: experimental
description: Detects npm or pip/pip3 spawning shells or reconnaissance tools often used in credential harvesting or propagation.
references:
  - https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.execution
  - attack.t1059.004
  - attack.credential_access
  - attack.t1552.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\npm.cmd'
      - '\npm.exe'
      - '\npx.cmd'
      - '\npx.exe'
      - '\pip.exe'
      - '\pip3.exe'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\bash.exe'
      - '\curl.exe'
      - '\wget.exe'
      - '\git.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate build scripts executing system commands (rare during initial install)
level: high
---
title: Cloud Credential File Access by Node or Python
id: 9a5d3e2b-6c7f-5g9e-0b2c-3d4e5f6a7b8c
status: experimental
description: Detects Node.js or Python processes accessing cloud credential files, a key TTP of Mini Shai-Hulud.
references:
  - https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.credential_access
  - attack.t1552.001
logsource:
  category: file_access
  product: windows
detection:
  selection:
    Image|endswith:
      - '\node.exe'
      - '\python.exe'
    TargetFilename|contains:
      - '\.aws\credentials'
      - '\.aws\config'
      - '\_azure\credentials'
      - '\.config\gcloud'
      - '\.docker\config.'
  condition: selection
falsepositives:
  - Legitimate SDKs accessing credentials during runtime (verify context)
level: medium

KQL (Microsoft Sentinel)

This query hunts for suspicious process execution patterns related to package managers interacting with credential files or utilities.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > datetime(2025-09-01)
| where (ProcessVersionInfoOriginalFileName in ("npm.exe", "pip.exe", "python.exe", "node.exe") or FileName in~ ("npm", "pip", "pip3", "node", "python", "python3"))
| where ProcessCommandLine has_any ("aws", "azure", "credential", "token", "secret", "env:", ".aws", "gcloud")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for processes spawned by npm or pip that are making network connections or accessing sensitive configuration directories, indicative of the worm's C2 or propagation activity.

VQL — Velociraptor
-- Hunt for suspicious processes spawned by package managers
LET package_managers = "npm", "pip", "pip3", "python", "node"

SELECT Pid, Name, Exe, CommandLine, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Parent.Exe AS ParentExe
FROM pslist()
WHERE Parent.Name in package_managers
  AND (
    Name IN ("bash", "sh", "powershell", "curl", "wget", "git") OR
    CommandLine =~ "(aws|azure|gcloud|credential|token|secret)"
  )

Remediation Script (Bash)

This script assists in identifying potentially compromised environments by checking for recent modifications to package directories and scanning for suspicious environment variables. Note that a full re-image is the only guaranteed remediation if a compromise is confirmed.

Bash / Shell
#!/bin/bash

# Mini Shai-Hulud Audit Script
# Usage: sudo ./audit_shai_hulud.sh

echo "[*] Starting Mini Shai-Hulud Environmental Audit..."

# 1. Check for recent npm/pip installs in the last 30 days
echo "[*] Checking for recent npm package modifications (last 30 days)..."
find /usr/local/lib/node_modules -type f -mtime -30 2>/dev/null | head -n 20

echo "[*] Checking for recent pip/site-packages modifications (last 30 days)..."
find /usr/local/lib/python*/site-packages -type f -mtime -30 2>/dev/null | head -n 20

# 2. Scan Environment Variables for exposed keys (Basic Indicator)
echo "[*] Scanning active environment variables for potential cloud exposure..."
if printenv | grep -qiE "(AWS_ACCESS_KEY|AZURE_CLIENT_SECRET|GOOGLE_APPLICATION_CREDENTIALS)"; then
    echo "[!] WARNING: Cloud credentials detected in environment variables."
    printenv | grep -E "(AWS_ACCESS_KEY|AZURE_CLIENT_SECRET|GOOGLE_APPLICATION_CREDENTIALS)"
fi

# 3. Audit Git Configs for suspicious changes (Propagation mechanism)
echo "[*] Checking for recent git config modifications..."
find ~/.gitconfig ~/.config/git -type f -mtime -30 2>/dev/null

echo "[*] Audit complete. If indicators are found, assume host compromise and initiate IR protocols."

Remediation

Given the self-propagating nature of Mini Shai-Hulud and the defeat of SLSA attestations, standard vulnerability patching is insufficient.

  1. Assume Compromise: Treat any developer workstation or CI/CD runner that executed npm install or pip install between September 2025 and May 2026 as fully compromised. Isolate these hosts from the network immediately.

  2. Credential Rotation:

    • Forcefully rotate all developer tokens (GitHub, GitLab, Bitbucket).
    • Rotate all cloud access keys (AWS Access Keys, Azure Service Principals, GCP Keys) used by affected environments.
    • Revoke all OCI registry credentials.

  3. Re-imaging: Do not attempt to clean the host. The worm may have established multiple persistence mechanisms. Wipe and re-image all affected workstations and build servers.

  4. Dependency Audit:

    • Review package-lock. and yarn.lock (npm) or Pipfile.lock / poetry.lock (PyPI) for the specific package versions identified in the Tenable Advisory.
    • Update to the latest verified "safe" versions provided by the package maintainers.

  5. SLSA Verification Review:

    • Acknowledge that SLSA Level 3 was bypassed. Implement additional runtime controls (eBPF monitoring for build containers) and require manual code review for any package update, regardless of provenance status, for the immediate future.

Vendor Advisory:

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureteam-pcpsupply-chainnpm

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action