TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03), (Mon, May 4th)

**Executive summary:** A May 2026 weekly intelligence report documents the 'Mini Shai-Hulud' self-propagating supply-chain worm (attributed to TeamPCP) that compromised four SAP npm packages and then spread to PyPI (PyTorch Lightning) and Packagist (intercom-php) within ~36 hours, harvesting credentials and seeding roughly 1,800 GitHub repositories from stolen tokens; it also covers Check Point Research's disclosure that Vect 2.0 (TeamPCP's extortion partner) has a ChaCha20 nonce-reuse flaw that effectively turns it into a wiper for files larger than 128 KB, includes IOCs (SHA-256 hashes, C2 endpoint), timeline, vendor sources, and analyst recommendations to watch for further downstream compromises and institutional response.