Wiz published details today on Mini Shai-Hulud, the latest TeamPCP supply chain operation. SAP npm packages (@cap-js/sqlite, u/cap-js/postgres, u/cap-js/db-service, mbt) got a malicious preinstall hook that runs Bun, executes an obfuscated payload, and exfils GitHub tokens, npm creds, AWS/Azure/GCP secrets, Kubernetes tokens, and Actions secrets to attacker-controlled GitHub repos. New twists vs. previous TeamPCP ops: browser credential theft, Claude Code + VS Code reinfection hooks, and a fallback that searches GitHub for commits with the magic string OhNoWhatsGoingOnWithGitHub to recover tokens from unrelated victims.
What strikes me reading through the Wiz, Aikido, and Socket writeups back to back: the kill chain is identical to Shai-Hulud, Shai-Hulud 2.0, Nx, axios, and Namastex. Maintainer creds get phished or a token gets stolen → malicious version published → CI/CD pipelines worldwide pull it within minutes → secrets exfiltrated → npm yanks the version a few hours later.
Every defensive tool I keep seeing recommended is reactive. Scanners, package allowlists, SCA, even most "firewall" products — they all depend on someone detecting the malicious package first. By the time threat intel updates and your tool starts returning 403s, every CI runner that pulled the package in the detection window has already been drained. And here's the part I keep coming back to: Mini Shai-Hulud exfils to api.github.com over GraphQL. That's an allowlisted destination for basically every build on the planet. A domain-level egress firewall does nothing. The malware also base64-encodes the stolen tokens (and double-base64s them in the fallback path), so a naive "scan for secrets in outbound traffic" check misses them entirely.
So you've got two real defensive layers that can actually disrupt this without depending on detection speed:
Pre-install: package version cooldown. Don't let a freshly-published version into your build for 24-72 hours, regardless of whether anyone's flagged it. pnpm has minimumReleaseAge, npm added min-release-age. Mini Shai-Hulud, axios, Namastex, both Shai-Hulud waves — all yanked well within 48 hours, all blocked by a cooldown gate with zero detection required.
Build-time: outbound deep packet inspection on the runner itself. Not "is this domain allowlisted" — is this build process trying to send something that looks like an encoded secret, even to a legitimate destination. InvisiRisk's Build Application Firewall is the only product I've seen actually do this. They inspect outbound request bodies and headers as the build runs and detect base64, double-base64, and layered encoding schemes — the exact techniques Mini Shai-Hulud uses. So even if the malicious package is older than 48 hours, or the cooldown gets overridden, or it's a transitive dep nobody noticed, the secret can't physically leave the runner. They blogged about adding the encoded-secret interception specifically in response to TeamPCP / Shai-Hulud-style campaigns about a week ago.
Defense-in-depth with both layers is what actually breaks this attack class. Cooldown handles the easy case (fresh malicious version, you just don't pull it). Build-time DPI handles the hard case (sleeper packages, overrides, transitive surprises, anything where the package made it into the build anyway).
Is anyone running either layer in production? Curious especially about the build-time egress side — I assume the friction is around tuning what counts as "encoded secret leaving the build" without nuking every legitimate CI artifact upload. How are teams handling that?