← All stories

The Register

The never-ending supply chain attacks worm into SAP npm packages, other dev tools

Jessica Lyons · 5 days ago · Read original ↗

ATT&CK techniques detected

13 predictions

T1195.001Compromise Software Dependencies and Development Tools

99%

“the never - ending supply chain attacks worm into sap npm packages, other dev tools the never - ending supply chain attacks worm into sap npm packages, other dev tools mini shai - hulud caught spreading credential - stealing malware the wave of supply chain attacks aimed at secur…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

99%

“thursday attacks on the intercom and lightning packages appear to contain the same malicious code seen in the sap operation. here ' s what has happened in the world of supply - chain attacks over the past 48 hours. sap - related npm packages on april 29, teampcp compromised four …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

99%

“infects developer npm packages, " according to socket, which also published a separate mini shai - hulud supply - chain campaign page that it updates as new information comes to light. and intercom ' s npm package also on thursday : socket and wiz sounded the alarm on a new compr…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

99%

“##s, npm credentials, cloud secrets ( aws, azure, gcp ), kubernetes tokens, and github actions secrets – leveraging advanced techniques such as extracting secrets from runner memory. exfiltration occurs via public github repositories, where it posts encrypted payloads. additional…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

98%

“include : - mbt @ 1. 2. 48 - @ cap - js / db - service @ 2. 10. 1 - @ cap - js / postgres @ 2. 2. 2 - @ cap - js / sqlite @ 2. 2. 2 collectively, these four packages receive about 572, 000 weekly downloads and are widely used by developers building cloud applications. sap did not…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195Supply Chain Compromise

94%

“of thousands ' hit in litellm supply - chain attack " the attack closely resembles the lightning @ 2. 6. 2 pypi attack from earlier today, as well as the teampcp - linked supply chain campaign we reported yesterday affecting sap cap and cloud mta npm packages, " socket wrote. nei…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

71%

“infects developer npm packages, " according to socket, which also published a separate mini shai - hulud supply - chain campaign page that it updates as new information comes to light. and intercom ' s npm package also on thursday : socket and wiz sounded the alarm on a new compr…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

70%

“the never - ending supply chain attacks worm into sap npm packages, other dev tools the never - ending supply chain attacks worm into sap npm packages, other dev tools mini shai - hulud caught spreading credential - stealing malware the wave of supply chain attacks aimed at secur…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.002Compromise Software Supply Chain

55%

“of thousands ' hit in litellm supply - chain attack " the attack closely resembles the lightning @ 2. 6. 2 pypi attack from earlier today, as well as the teampcp - linked supply chain campaign we reported yesterday affecting sap cap and cloud mta npm packages, " socket wrote. nei…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

46%

“##s, npm credentials, cloud secrets ( aws, azure, gcp ), kubernetes tokens, and github actions secrets – leveraging advanced techniques such as extracting secrets from runner memory. exfiltration occurs via public github repositories, where it posts encrypted payloads. additional…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

34%

“thursday attacks on the intercom and lightning packages appear to contain the same malicious code seen in the sap operation. here ' s what has happened in the world of supply - chain attacks over the past 48 hours. sap - related npm packages on april 29, teampcp compromised four …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.002Compromise Software Supply Chain

34%

“thursday attacks on the intercom and lightning packages appear to contain the same malicious code seen in the sap operation. here ' s what has happened in the world of supply - chain attacks over the past 48 hours. sap - related npm packages on april 29, teampcp compromised four …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.002Compromise Software Supply Chain

32%

“##s, npm credentials, cloud secrets ( aws, azure, gcp ), kubernetes tokens, and github actions secrets – leveraging advanced techniques such as extracting secrets from runner memory. exfiltration occurs via public github repositories, where it posts encrypted payloads. additional…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Mini Shai-Hulud caught spreading credential-stealing malware

The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package.…