SAP npm Packages Compromised in Sophisticated Supply Chain Attack
In a recent and alarming development, a supply chain attack, termed mini Shai Hulud, has infiltrated the npm ecosystem by compromising four SAP-related packages. These packages—`@cap-js/sqlite`, `@cap-js/postgres`, `@cap-js/db-service`, and `mbt`—were maliciously altered to include preinstall scripts that execute stealthily during dependency installation. This breach poses a significant threat to developer environments and Continuous Integration/Continuous Deployment (CI/CD) pipelines, aiming to harvest credentials from platforms such as GitHub, npm, and major cloud service providers.
Discovery and Analysis
Security experts from StepSecurity, Aikido Security, SafeDep, Socket, and Wiz identified that the compromised versions of these SAP Cloud Application Programming Model (CAP) ecosystem packages contained a weaponized `preinstall` hook within their `package.json` files. This hook initiates a multi-stage attack designed to evade detection and extract sensitive information.
Evasion Techniques and Payload Execution
Unlike previous attacks that utilized Node.js for payload execution, this campaign employs a novel approach by downloading the Bun JavaScript runtime during the installation process. The initial dropper script, `setup.mjs`, fetches and executes a heavily obfuscated 11 MB second-stage payload named `execution.js`. This method effectively bypasses traditional security tools focused on Node.js execution patterns, making detection more challenging.
Credential Theft Mechanism
Once activated, `execution.js` operates as a comprehensive credential stealer and self-propagation framework. Its capabilities include:
– Harvesting Developer Credentials: Extracting GitHub tokens and npm credentials from developer workstations.
– Cloud Service Secrets: Collecting environment variables and secrets from AWS, Azure, and Google Cloud Platform (GCP).
– Kubernetes Access Tokens: Retrieving Kubernetes tokens and service account credentials.
– CI/CD Pipeline Secrets: Accessing GitHub Actions secrets, including runtime secrets directly from the runner’s memory.
The stolen data is encrypted and exfiltrated to attacker-controlled public GitHub repositories, mirroring the exfiltration methods observed in the original Shai-Hulud campaign.
Self-Propagation Strategy
The malware exhibits self-propagating behavior by utilizing stolen npm tokens to identify other packages associated with the compromised maintainer’s account. It injects malicious code into these packages and republishes them, facilitating exponential spread across the npm ecosystem without direct intervention from the attackers.
Geofencing and Targeted Execution
A notable feature of this malware is its geofencing capability. During initialization, it checks the system’s date/time locale settings and environment language variables for values beginning with ‘ru’. If the system is configured for the Russian language, the malware self-terminates, ensuring no data is exfiltrated from Russian-speaking environments. This deliberate exclusion is a recurring characteristic in campaigns attributed to the threat actor group known as TeamPCP.
Attribution to TeamPCP
Researchers have attributed this campaign to TeamPCP with high confidence, citing multiple overlapping technical signatures with previously documented operations targeting packages such as Trivy, LiteLLM, and Checkmarx KICS. Key indicators supporting this attribution include:
– Consistent Encoding Techniques: Use of the `__decodeScrambled` cipher to encode secrets before exfiltration.
– Geofencing Logic: Implementation of Russian-language early-exit logic to avoid targeting Russian-speaking systems.
– Shared Dropper Script: Presence of an identical dropper script (`setup.mjs`) across all compromised packages.
– Infrastructure Abuse Patterns: Utilization of install-time execution, off-host exfiltration, and self-propagation mechanisms.
Implications and Recommendations
This attack underscores the critical need for vigilance in managing software supply chains. Developers and organizations are urged to:
– Audit Dependencies: Regularly review and verify the integrity of all dependencies, especially those from third-party sources.
– Monitor for Anomalies: Implement monitoring tools to detect unusual behaviors during package installation and execution.
– Rotate Credentials: Promptly rotate any credentials that may have been exposed to mitigate potential unauthorized access.
– Enhance Security Practices: Adopt security best practices, including the principle of least privilege, to minimize the impact of potential breaches.
By taking these proactive measures, developers and organizations can better protect their environments from sophisticated supply chain attacks like the one targeting SAP npm packages.
