Attackers Exploit SAP npm Packages to Steal Developer Credentials
In a recent and sophisticated supply chain attack, cybercriminals have targeted the SAP developer ecosystem by compromising npm packages to extract sensitive credentials from developers. This campaign employs a malicious worm, dubbed Mini Shai-Hulud, which operates covertly during the npm installation process to harvest credentials from developer machines, cloud platforms, and AI coding tools.
The Attack Mechanism
The attackers infiltrated four official SAP-published npm packages:
– `mbt`
– `@cap-js/sqlite`
– `@cap-js/postgres`
– `@cap-js/db-service`
When developers or Continuous Integration (CI) pipelines execute `npm install` on these compromised versions, a concealed preinstall script named `setup.mjs` is triggered before the installation completes. This script downloads the Bun JavaScript runtime and executes an obfuscated payload (`execution.js`), which carries out credential theft without interacting with Node.js.
Connection to Previous Attacks
Endor Labs analysts have identified this malware as a direct descendant of the original Shai-Hulud worm documented in April 2025. The Mini Shai-Hulud shares several characteristics with its predecessor, including:
– Utilization of the Bun v1.3.13 runtime bootstrap
– Employment of a custom cipher family (`ctf-scramble-v2`)
– Use of the same PBKDF2 key (`5012caa5847ae…`)
These shared markers confirm that the same threat actor is orchestrating a new campaign against SAP’s Cloud Application Programming (CAP) and Multi-Target Application (MTA) developer ecosystem, focusing on a narrower credential surface and employing a different propagation keyword.
Implications for Developers
The four compromised packages are integral to CAP-based applications widely used across SAP Business Technology Platform (BTP). Developers who have installed these malicious versions on machines containing cloud credentials or GitHub tokens should consider all secrets on those hosts as fully exposed.
Details of the Compromised Packages
| Package | Malicious Version | Last Clean Version |
|———————–|——————-|——————–|
| `mbt` | 1.2.48 | 1.2.47 |
| `@cap-js/sqlite` | 2.2.2 | 2.2.1 |
| `@cap-js/postgres` | 2.2.2 | 2.2.1 |
| `@cap-js/db-service` | 2.10.1 | 2.10.0 |
Credential Harvesting Techniques
The malicious payload operates five credential harvesters concurrently:
1. npm Tokens: Scans `.npmrc` files in the user home directory, project root, and CI environment variables to collect tokens. These tokens are validated against the npm registry API to confirm publish rights, as only tokens with publish capabilities allow worm replication.
2. GitHub and Cloud Credentials: On Linux systems, the payload reads `/proc/{pid}/mem` to extract in-memory secrets from GitHub Actions. It also scans AWS credential files, queries `GetCallerIdentity` for IAM context, examines Google Cloud Secret Manager, reads Kubernetes service account JSON files, and collects Azure Key Vault credentials.
3. AI Coding Tools: The payload checks 136 hardcoded paths for settings related to AI coding tools, including Claude Code settings (`project/.claude/settings.json`) and VS Code task files (`project/.vscode/tasks.json`). It also examines Cursor IDE state, shell history, `.env` files, and SSH private keys. In CI environments, it scans across more than 25 platforms, including Jenkins, Travis, and Azure Pipelines.
Indicators of Compromise
Developers should be vigilant for the following indicators:
– Persistence Copy of Payload: `project/.claude/execution.js` (11.6 MB)
– SessionStart Hook: Presence in `project/.claude/settings.json`
– FolderOpen Trigger: Pointing to `.claude/` in `project/.vscode/tasks.json`
– Injected Credential Exfiltration Workflow: Located in `project/.github/workflows/format-check.yml`
Recommendations for Developers
To mitigate the risks associated with this attack, developers are advised to:
– Audit Dependencies: Regularly review and update all project dependencies, ensuring that only trusted packages are used.
– Monitor for Suspicious Activity: Implement monitoring tools to detect unusual behavior during the installation or execution of npm packages.
– Rotate Credentials: If there’s any suspicion of compromise, immediately rotate all potentially exposed credentials, including npm tokens, GitHub tokens, and cloud service keys.
– Implement Least Privilege Access: Ensure that tokens and credentials have the minimum necessary permissions to perform their intended functions, reducing the potential impact of a compromise.
– Educate Development Teams: Provide training on the risks associated with third-party packages and the importance of verifying the integrity of dependencies.
Conclusion
The exploitation of SAP npm packages by the Mini Shai-Hulud worm underscores the critical importance of supply chain security in modern software development. By compromising widely used packages, attackers can infiltrate development environments, exfiltrate sensitive credentials, and potentially gain unauthorized access to critical systems. Developers and organizations must remain vigilant, adopt robust security practices, and continuously monitor their software supply chains to defend against such sophisticated attacks.
