Supply‑Chain Sabotage: The Mini Shai Hulud Campaign Targeting SAP Developers

The software supply chain remains one of the most precarious links in modern cybersecurity, and a recent discovery has highlighted just how targeted these attacks can become.

Security researchers have uncovered a sophisticated campaign, dubbed “Mini Shai Hulud,” orchestrated by a threat actor known as TeamPCP. This campaign specifically targets the SAP developer ecosystem by compromising several legitimate npm packages, turning trusted development tools into vectors for credential theft.

Unlike “spray and pray” malware, this operation is surgical. It leverages the inherent trust in dependency management to execute malicious code silently during the standard build process, aiming for the “crown jewels” of development: CI/CD secrets and cloud environment credentials.

Technical Breakdown: Infection and Payload Execution

The attackers have successfully hijacked widely utilized SAP-related libraries, specifically targeting @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt. The infection logic is embedded within a preinstall script—a legitimate npm lifecycle hook—which allows the malware to trigger the moment a developer runs npm install.

Compromised users by hours, UTC timezone (Source: WIZ)
Compromised users by hours, UTC timezone (Source: WIZ)

The execution chain is designed for stealth and resilience:

  1. The Dropper: The pre-install script triggers a file named setup.mjs.
  2. Environment Masking: To bypass detection and evade specific geopolitical scrutiny, the script performs a locale check. If it detects Russian-language environment variables or system settings, the payload terminates immediately.
  3. Advanced Runtime Execution: To evade traditional JavaScript analysis, the dropper downloads the Bun JavaScript runtime. It uses Bun to launch a heavily obfuscated secondary payload, execution.js, before the original package installation has even completed.
  4. Data Exfiltration: Once active, the malware harvests GitHub tokens, npm credentials, Kubernetes access tokens, and sensitive cloud secrets from AWS, Azure, and GCP. The stolen data is encrypted via RSA and exfiltrated to attacker-controlled GitHub repositories using the GraphQL API, a method that blends in with legitimate developer traffic.

Strategic Evolution: Browser Theft and Repository Poisoning

What differentiates Mini Shai Hulud from previous TeamPCP campaigns is its expanded tactical scope. The malware now includes modules for web browser credential harvesting, specifically targeting stored passwords and session data in Chrome, Safari, Edge, and Brave.

Furthermore, if the initial attempt to snatch high-value API tokens fails, the malware shifts to a persistence and propagation phase. It attempts to “poison” the developer’s local environment by injecting malicious configuration files:

  • AI Tooling Exploitation: For users of Claude Code, it creates malicious hooks that ensure the dropper executes upon every new session.
  • IDE Integration: For Visual Studio Code users, it modifies task configurations so the payload runs automatically whenever a project directory is opened.

Mitigation and Incident Response

Security teams should treat this as a critical priority. We recommend the following immediate actions:

  • Audit Dependencies: Scan package-lock.json and yarn.lock files for the compromised versions of the mentioned SAP packages.
  • Secret Rotation: Assume all cloud provider keys (AWS/Azure/GCP), GitHub Personal Access Tokens (PATs), and CI/CD environment variables are compromised and rotate them immediately.
  • Endpoint Scanning: Search developer workstations and CI runners for the specific SHA-256 hashes listed below.

Indicators of Compromise (IoCs)

File Name Affected Package SHA-256 Hash
setup.mjs All 4 Packages 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34
execution.js @cap-js/postgres eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb
execution.js @cap-js/db-service eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb
execution.js @cap-js/sqlite 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95
execution.js mbt 80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac

Related Articles

Back to top button