Forensic Dragnet · 2026-04-29 · Active Campaign

Mini Shai-Hulud
has appeared.

A Bun-runtime npm supply-chain worm by threat actor TeamPCP seeded SAP-ecosystem credential theft into 1,117 GitHub dropbox repositories across 22 compromised accounts in a single 7-hour propagation window.

TL;DR. Trojaned @cap-js/sqlite @cap-js/postgres @cap-js/db-service mbt @bitwarden/cli ship encrypted credential bundles to audit.checkmarx.cx hosted at 94.154.172.43 (AS209101 IP Vendetta Inc., Seychelles). Same actor as the April 22 Checkmarx KICS Docker / VS Code attack.
Campaign
mini-shai-hulud
Actor
TeamPCP
First drop
2026-04-29 10:00:13Z
C2 endpoint
https://audit.checkmarx.cx/v1/telemetry
Bun runtime
v1.3.13
Repo marker
"A Mini Shai-Hulud has Appeared"
↓ Download IOC bundle (JSONL) Read the dossier Campaign chronology IOC inventory
0
Dropbox repos
22
Compromised accounts
5
Trojaned npm packages
47
Indicators of compromise
5s
Median exfil drift
7h
Propagation window
Section 01 · Worm propagation curve

One unbroken hour-long burst, then decay

368 dropboxes in the 10:00 hour, fading to single-digit by 17:00 UTC as victims rotate stolen PATs. Every dropbox traces back to a stolen GitHub Personal Access Token harvested from the trojaned npm install.

Cumulative dropbox creation
Each step is one stolen-PAT-driven repo. Hover for owner attribution.
Per-hour dropbox volume
Worm peaks at 368 drops in hour 10; decay reflects victim PAT rotations landing.
Section 02 · Victim machine archetypes

Five behavioral fingerprints from one worm

Vajra cross-field invariants over the 22-victim cohort cluster cleanly by burst rate and span. Same worm, very different victim hosts.

Burst rate × payload size — per-victim scatter
Top-right cluster = CI-burst (high rate, heavy payload). Bottom-right = sustained dev workstations. Bottom-left = single-shot.
Section 03 · Attack chain

npm install → harvest → dropbox → C2

Median 5-second drift from dropbox creation to credential upload. One unbroken automated chain on the victim machine — no batching, no delay.

TeamPCP threat actor · public attribution 2026-04-22 X/Twitter boast Stolen npm tokens CloudMTABot · cap-bots via prior March 2026 ops Trojaned npm packages mbt 1.2.48 @cap-js/sqlite 2.2.2 @cap-js/postgres 2.2.2 @cap-js/db-service 2.10.1 @bitwarden/cli 2026.4.0 setup.mjs preinstall SHA-256 4066781f…f45e34 Bun runtime v1.3.13 sandbox / detection evasion Victim machine npm install / preinstall harvest .npmrc, .ssh, .aws, .claude.json, GH PAT, MCP Dropbox repository {dune}-{dune}-NNN "A Mini Shai-Hulud has Appeared" C2 audit.checkmarx.cx 94.154.172.43 AS209101 IP Vendetta Seychelles · BPH /v1/telemetry

Solid blue: software flow. Solid red: actor / exfil flow. Animated dashes indicate live data movement.

Section 04 · TeamPCP campaign chronology

~1 major drop per week, March → April 2026

TeamPCP runs a sustained campaign cadence. Mini Shai-Hulud is the fourth observable operation; same C2 infrastructure spans the Checkmarx KICS attack one week prior.

Section 05 · IOC inventory

47 indicators across 14 kinds

Filter by kind. All indicators are sourced — see the source column. Full JSONL: data/iocs.jsonl.

Section 06 · C2 infrastructure

Offshore bulletproof, registered six days before drop

Apex domain

checkmarx.cx

Updated 2026-04-23 — six days before the worm.
Registrar: CentralNic Ltd (UK)
NS: ns{1,2,3}.dnsowl.com (NameSilo)

Resolver IP

94.154.172.43

AS209101 IP Vendetta Inc.
Seychelles (Victoria)
Known offshore bulletproof hosting

C2 endpoint

https://audit.checkmarx.cx/v1/telemetry

Subdomain only resolves during exfil window — currently NXDOMAIN at rest. Operational tradecraft.

Section 07 · Methodology

How the dragnet was performed

The dragnet uses a custom op-recon toolchain combining GitHub Code Search, identity-graph spider (kraken), per-account anomaly scoring (hunter), and structural triage (vajra).

  1. Description-marker dragnet — GitHub Search API for "A Mini Shai-Hulud has Appeared" in:description; bypass the 1k-result cap by hour-bucketed pagination.
  2. Per-victim profile enrichment — pull GitHub user profile, repo count, follower/following counts. Cluster on company/location to surface corporate compromises.
  3. Burst-rate clustering — per-account aggregation produces (repo_count, span, repos_per_min, total_kb). Vajra invariants reveal repo_count ↔ repos_per_min strength 0.896 (compromise scales with automation).
  4. Hunter star-farm rule-out — hunter against 11 known-operator anchor sets (cfnb, 3xui, clashmeta, …). All 4 leads flagged: false, cohort: OTHER. Confirms PAT theft, not synthetic-from-inception.
  5. Kraken d=1 spider — map identity network around CloudMTABot to surface SAP CAP / Cloud Foundry maintainers needing IR notification.
  6. Exfil-time forensics — decode Unix-ms timestamps in results-{ts}-N.json filenames; compute drift vs repo creation time. Median 5s, p99 299s, 0 negative drifts.
  7. Cross-campaign pivot — same C2 / Bun version / repo regex bridges the April 22 Checkmarx KICS attack. Threat actor identified as TeamPCP via harekrishnarai/software-supply-chain-monitor.
  8. Privacy guardrail — corporate / infrastructure compromises disclosed by org name; individual personal-victim accounts retained in raw artefacts but redacted from the public dataset.

Full methodology & dossier in the repo: DOSSIER.md