Credential-Stealing Malware Targets SAP-Related npm Packages in Sophisticated Supply Chain Attack
In a recent and alarming development, cybersecurity experts have identified a sophisticated supply chain attack targeting SAP-related npm packages. This campaign, dubbed mini Shai-Hulud, has compromised several packages integral to SAP’s JavaScript and cloud application development ecosystem.
Affected Packages:
– [email protected]
– @cap-js/[email protected]
– @cap-js/[email protected]
– @cap-js/[email protected]
These compromised versions introduced unexpected installation-time behaviors. Notably, they added a preinstall script that acts as a runtime bootstrapper. This script downloads a platform-specific Bun ZIP from GitHub Releases, extracts it, and immediately executes the extracted Bun binary. Such behavior was not part of these packages’ original functionality.
The implementation also follows HTTP redirects without validating the destination and uses PowerShell with -ExecutionPolicy Bypass on Windows, increasing the risk for affected developer and CI/CD environments.
The malicious packages share several characteristics with previous operations attributed to the threat actor known as TeamPCP, suggesting a possible link to the same group.
Timeline of the Attack:
The malicious versions were published on April 29, 2026, between 09:55 UTC and 12:14 UTC. These versions introduced a new package.json preinstall hook that runs a file named setup.mjs. This file acts as a loader for the Bun JavaScript runtime, executing the credential stealer and propagation framework (execution.js).
Malware Capabilities:
The malware is designed to harvest a wide range of sensitive information, including:
– Local developer credentials
– GitHub and npm tokens
– GitHub Actions secrets
– Cloud secrets from AWS, Azure, GCP, and Kubernetes
The stolen data is encrypted and exfiltrated to public GitHub repositories created on the victim’s own account, each bearing the description A Mini Shai-Hulud has Appeared. As of now, over 1,100 such repositories have been identified.
Self-Propagation Mechanism:
The 11.6 MB payload is equipped with self-propagation capabilities. It leverages the stolen GitHub and npm tokens to inject a malicious GitHub Actions workflow into the victim’s repositories. This workflow is designed to steal repository secrets and publish compromised versions of npm packages to the registry, thereby extending the reach of the attack.
Distinctive Features of This Attack:
This incident exhibits notable differences from previous Shai-Hulud campaigns:
– Advanced Encryption: All exfiltrated data is encrypted using AES-256-GCM, with the key encapsulated via RSA-4096. The public key is embedded within the payload, ensuring that only the attacker can decrypt the data.
– Geographical Targeting: The malware is designed to avoid execution on systems with a Russian locale, indicating a deliberate targeting strategy.
– Innovative Persistence Mechanism: The payload commits itself into every accessible GitHub repository by injecting a .claude/settings.json file that exploits Claude Code’s SessionStart hook. Additionally, it adds a .vscode/tasks.json file with the runOn: folderOpen setting. This ensures that opening the infected repository in Microsoft Visual Studio Code (VS Code) or Claude Code triggers the malware execution.
This marks one of the first instances where a supply chain attack has targeted AI coding agent configurations as a vector for persistence and propagation.
Root Cause Analysis:
Investigations have revealed that the attackers compromised the account of RoshniNaveenaS for the three @cap-js packages. They then pushed a modified workflow to a non-main branch and used the extracted npm OIDC token to publish the malicious packages without provenance. In the case of mbt, it is suspected that the attackers obtained the cloudmtabot static npm token through an undetermined method.
The cds-dbs team had migrated to npm OIDC trusted publishing in November 2025. Under this setup, GitHub Actions can request a short-lived npm token without storing any long-lived secrets in the repository. The attacker exploited this configuration by manually reproducing the token exchange in a CI step and printing the resulting token.
A critical configuration gap was identified: npm’s OIDC trusted publisher configuration for @cap-js/sqlite trusted any workflow in cap-js/cds-dbs, not just the canonical release-please.yml on the main branch. This allowed a branch push to exchange an OIDC token on behalf of the package if the workflow had id-token: write permission and the environment referenced npm.
Mitigation Measures:
In response to the attack, the maintainers of the affected packages have released new, secure versions to replace the compromised releases:
– sqlite: v2.4.0, v2.3.0
– postgres: v2.3.0, v2.2.2
– hana: v2.8.0, v2.7.2
– db-service: v2.10.1
– mbt: v1.2.49
Recommendations for Developers:
– Immediate Updates: Developers using the affected packages should update to the latest secure versions without delay.
– Review Dependencies: Regularly audit and review project dependencies to identify and mitigate potential vulnerabilities.
– Enhance Security Practices: Implement
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
