logo

Mini Shai-Hulud Weaponizes Tasks.JSON Files

ID: 85d4b87f-304c-5a75-af05-40769f6a8913

STIX ID: report--85d4b87f-304c-5a75-af05-40769f6a8913

Feed Name: OpenSourceMalware Blog

Threat Score
88/100

Date Published: 2026-04-30

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

Mini Shai-Hulud is an active npm worm (attributed to TeamPCP) that spreads by adding auto-executing developer tooling configs—most notably .vscode/tasks.json with "runOn":"folderOpen" and .claude SessionStart hooks—into repositories, enabling remote code execution, credential harvesting, and self-propagation across GitHub; four SAP CAP-related npm packages and multiple file-hash IOCs are identified, and immediate actions include hunting for the tasks.json/.claude signatures, rotating exposed credentials, pinning dependencies, and tightening OIDC and workspace-trust policies.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.