Mini Shai Hulud

TeamPCP compromised 84 versions across 42 TanStack packages on May 11 using GitHub Actions cache poisoning. The malware steals CI/CD credentials and includes a wiper that triggers on token revocation.

Four official SAP CAP ecosystem packages compromised on April 29, harvesting developer credentials, cloud secrets, and CI/CD tokens through malicious preinstall scripts.