Mini Shai-Hulud Weaponizes Tasks.JSON Files
ID: 85d4b87f-304c-5a75-af05-40769f6a8913
STIX ID: report--85d4b87f-304c-5a75-af05-40769f6a8913
Feed Name: OpenSourceMalware Blog
Date Published: 2026-04-30
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
Mini Shai-Hulud is an active npm worm (attributed to TeamPCP) that spreads by adding auto-executing developer tooling configs—most notably .vscode/tasks.json with "runOn":"folderOpen" and .claude SessionStart hooks—into repositories, enabling remote code execution, credential harvesting, and self-propagation across GitHub; four SAP CAP-related npm packages and multiple file-hash IOCs are identified, and immediate actions include hunting for the tasks.json/.claude signatures, rotating exposed credentials, pinning dependencies, and tightening OIDC and workspace-trust policies.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
