SAP Developer Ecosystem Compromise: The Mini Shai-Hulud npm Supply Chain Attack

A sophisticated supply chain attack struck the SAP developer ecosystem on April 29, 2026, affecting four widely used npm packages with credential-stealing malware. This campaign, dubbed Mini Shai-Hulud, leveraged advanced obfuscation techniques and self-replicating mechanisms that have drawn parallels to a prior attack targeting the Bitwarden CLI.

The attackers modified installation scripts in the compromised packages to download Bun, a JavaScript runtime that serves as a fast alternative to Node.js. By doing so, they bypassed traditional Node.js-based security tools, executing an 11.6 MB heavily obfuscated payload via Bun instead. The malware activates through a preinstall hook—meaning it runs automatically before the package is fully installed, requiring no user interaction beyond running npm install.

Campaign Overview

The attack specifically targeted packages essential to the SAP Cloud Application Programming Model (CAP) and Cloud MTA build workflows, making it a critical threat to enterprise-level development and CI/CD pipelines. The malicious payload is designed to harvest sensitive credentials from a wide array of sources:

  • GitHub tokens and Personal Access Tokens
  • npm authentication tokens
  • AWS, Azure, and Google Cloud credentials
  • Kubernetes service account tokens
  • Configuration files for AI coding tools like Claude and Visual Studio Code

All stolen data is encrypted using AES-256-GCM and exfiltrated to public GitHub repositories under the victims’ own accounts, labeled with the description “A Mini Shai-Hulud has Appeared”—a clear signature of the attack.

Self-Propagation Capability

The malware exhibits self-propagation capabilities. It validates stolen npm tokens to verify publishing permissions and then injects malicious code into other packages under the compromised account’s control. Additionally, the malware creates malicious GitHub Actions workflows in accessible repositories, allowing it to extract repository-level secrets during future CI runs.

This propagation mechanism closely mirrors the original Shai-Hulud campaign that targeted the Bitwarden CLI in April 2026, highlighting the evolution and persistence of similar tactics.

Compromised Package Details

Package Malicious Version Last Clean Version Monthly Downloads
mbt 1.2.48 1.2.47 Up to 1M
@cap-js/sqlite 2.2.2 2.2.1 Hundreds of thousands
@cap-js/postgres 2.2.2 2.2.1 Hundreds of thousands
@cap-js/db-service 2.10.1 2.10.0 Hundreds of thousands

The compromise occurred through two distinct methods:

  • mbt was hijacked using a stolen static npm authentication token belonging to the cloudmtabot service account, enabling direct malicious publishing without needing GitHub access.
  • The @cap-js packages were compromised by a combination of a hijacked SAP developer GitHub account and a misconfigured npm OIDC trusted publishing setup. The configuration allowed publishing permissions to any workflow on any branch, rather than restricting access to specific workflows on the main branch.

Beyond credential theft, the malware also injects persistence hooks into Visual Studio Code and Claude Code AI assistant configurations, enabling further long-term access to developer environments.

Connection to the Shai-Hulud Campaign

Security researchers confirmed that this attack shares infrastructure with the original Bitwarden CLI compromise from April 2026. Both campaigns utilize the same Bun runtime version (v1.3.13), encryption cipher (ctf-scramble-v2), and PBKDF2 cryptographic key.

The Obfuscated Payload (Source : Endor Labs)
The Obfuscated Payload (Source: Endor Labs)

Both campaigns feature a Russian locale kill-switch, a common operational security measure seen in Eastern European threat actor operations. The attack toolchain has been attributed to the cybercrime group TeamPCP.

Response and Mitigation

SAP released Security Note 3747787 addressing the incident and provided updated versions of all affected packages. Organizations are strongly advised to:

  • Immediately uninstall any compromised versions using npm uninstall <package> --ignore-scripts
  • Reinstall the clean superseding versions
  • Rotate all GitHub tokens, npm tokens, cloud credentials, and API keys used on systems with malicious installations

Because the encryption used is irreversible, compromised credentials should be considered permanently compromised and must be rotated immediately.

Indicators of Compromise (IoCs)

File SHA-256 Packages
setup.mjs 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 All four
execution.js 80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac [email protected]
execution.js 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95 @cap-js/[email protected]
execution.js eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb @cap-js/[email protected], @cap-js/[email protected]

Organizations should review their dependency trees, audit installed packages, and monitor their CI/CD pipelines for signs of compromise.

Related Articles

Back to top button