Full Report
TeamPCP? Or copycat malware dev?
Analysis Summary
# Tool/Technique: Mini Shai-Hulud (Miasma Variant)
## Overview
Mini Shai-Hulud is a self-propagating worm and credential harvester designed to target development environments via supply chain attacks. This specific campaign involved compromising a legitimate contributor's account to inject malicious code into npm packages. The malware leverages automation to exfiltrate sensitive cloud and development secrets and attempts to propagate further by leveraging stolen credentials.
## Technical Details
- **Type:** Malware (Worm / Credential Stealer)
- **Platform:** Cross-platform (Node.js/npm environments), Linux, Cloud Environments (AWS, GCP, Azure)
- **Capabilities:** Credential harvesting, supply chain propagation, automated exfiltration, environmental awareness.
- **First Seen:** June 2026 (Reported)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **TA0006 - Credential Access**
- T1552 - Unsecured Credentials
- T1555 - Credentials from Web Browsers/Password Stores
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Preinstall Hook Execution:** Automatically executes the malicious payload during the `npm install` phase, ensuring infection before the package is even imported.
- **Credential Harvesting:** Specifically targets GitHub Actions secrets, npm tokens, Kubernetes/Vault material, SSH keys, and Git credentials.
- **Cloud Identity Theft:** Collects metadata and identities from Google Cloud Platform (GCP) and Microsoft Azure to facilitate lateral movement into cloud infrastructure.
### Advanced Features
- **Self-Propagation:** Contains logic to use stolen Git credentials to push "orphan commits" to other repositories, furthering the supply chain attack.
- **Polymorphic Payloads:** Generates a uniquely encrypted payload for each infection, bypassing traditional hash-based detection (signature-based antivirus).
- **Fallback C2:** Utilizes GitHub-based fallback mechanisms for command and control if primary exfiltration points are blocked.
- **Thematic Branding:** Earlier versions used *Dune* terminology (Shai-Hulud), while the "Miasma" variant uses Greek mythology themes (e.g., "spartan").
## Indicators of Compromise
- **File Hashes:** Unreliable due to unique encryption per infection; however, initial malicious package shasums are tracked by security providers like Socket and Wiz.
- **File Names:** Look for unauthorized "orphan commits" in Git history not associated with a standard branch merge.
- **Registry Keys:** N/A (Node.js environment focused).
- **Network Indicators:**
- Exfiltration to GitHub-based repositories with the description: "Miasma: The Spreading Blight".
- [h]xxps://github[.]com/RedHatInsights/ (specifically unauthorized orphan commits).
- **Behavioral Indicators:**
- Unexpected outbound network traffic during `npm install`.
- `node` processes attempting to access `.ssh`, `.aws`, or `.kube` directories.
- Identification of `preinstall` scripts in `package.json` pointing to obfuscated or unknown scripts.
## Associated Threat Actors
- **TeamPCP:** Known for open-sourcing the original Shai-Hulud code.
- **Miasma/Spartan Actor:** Potentially a copycat or a splinter group using the open-sourced TeamPCP code with modified Greek mythology themes.
## Detection Methods
- **Signature-based:** Standard AV is largely ineffective due to polymorphic encryption; however, scanning `package-lock.json` for known-malicious versions of Red Hat Cloud Services packages is effective.
- **Behavioral:** Monitor for unexpected file access to sensitive directories (e.g., `~/.ssh`) originating from Node.js processes.
- **SCA Tools:** Use Software Composition Analysis (SCA) tools to flag packages published via bypassed code reviews or orphan commits.
## Mitigation Strategies
- **Credential Rotation:** Immediately rotate all SSH keys, cloud tokens, and npm tokens if an infected package was installed.
- **Namespace Verification:** Use npm's "scoped packages" features and verify the integrity of the registry.
- **Audit Hooks:** Disable or strictly audit npm scripts (e.g., using `--ignore-scripts`) during dependency installation in CI/CD pipelines.
- **Enforce MFA:** Ensure all GitHub/GitLab contributors use hardware-based MFA to prevent account takeovers via session hijacking.
## Related Tools/Techniques
- **Shai-Hulud (Original):** The predecessor tool that used *Dune* references.
- **Dependency Confusion:** A similar technique used to trick systems into downloading malicious internal-sounding packages from public registries.