Mini Shai Hulud: Cross-ecosystem supply chain worm targeting npm & PyPI

On May 11, 2026, TeamPCP executed a large-scale supply-chain campaign—dubbed “Mini Shai Hulud”—that compromised 170+ npm and PyPI packages by abusing GitHub Actions to publish malicious updates with valid provenance; the payload is an obfuscated credential stealer that exfiltrates AWS, GitHub, Vault, and Kubernetes credentials, self-propagates via npm tokens and injects persistence into Claude Code and VS Code. The report provides IOCs (domains, filenames, a malicious file hash, IP, and author alias), recommended containment and credential rotation steps, and indicators for detection and remediation.