★ 8/10 · Security · 2026-04-29

SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

A supply chain attack campaign, identified as "Mini Shai-Hulud," has compromised several npm packages within the SAP JavaScript and cloud development ecosystem to steal developer credentials and cloud secrets. The...

Captured 2026-04-29 16:26

SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

Summary

A supply chain attack campaign, identified as "Mini Shai-Hulud," has compromised several npm packages within the SAP JavaScript and cloud development ecosystem to steal developer credentials and cloud secrets. The attack utilizes malicious preinstall scripts to execute a Bun-based payload that exfiltrates sensitive data to GitHub repositories.

Key Points

  • Affected packages include mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2.
  • The malware uses a preinstall hook to execute setup.mjs, which downloads and runs a platform-specific Bun binary from GitHub Releases.
  • Capabilities include harvesting GitHub/npm tokens, GitHub Actions secrets, cloud credentials (AWS, Azure, GCP, and Kubernetes), and passwords from browsers including Chrome, Safari, Edge, Brave, and Chromium.
  • Exfiltrated data is encrypted using AES-256-GCM and encapsulated with an RSA-4096 public key before being sent to GitHub repositories created on the victim's account.
  • Persistence is achieved by injecting malicious configurations into .claude/settings.json (abusing the Claude Code SessionStart hook) and .vscode/tasks.json (using the runOn: folderOpen setting).
  • Remediation requires upgrading to safe versions: mbt@1.2.49, @cap-js/sqlite@2.4.0 or v2.3.0, @cap-js/postgres@2.3.0 or v2.2.2, and @cap-js/db-service@2.10.1.

Technical Details

The attack mechanism relies on a package.json preinstall script that acts as a runtime bootstrapper. This script executes setup.mjs, which downloads, extracts, and executes a Bun JavaScript runtime to run the primary payload, execution.js. The payload is designed for self-propagation; it uses stolen GitHub and npm tokens to inject malicious GitHub Actions workflows into the victim's repositories, enabling the attacker to publish further poisoned npm packages and steal additional repository secrets.

The malware includes specific evasion and persistence logic, such as terminating execution on systems with a Russian locale. For data exfiltration, the attacker uses the victim's own GitHub account to host public repositories with the description "A Mini Shai-Hulud has Appeared." The root cause of the package compromise involved a misconfiguration in npm OIDC (OpenID Connect) trusted publishing. In the case of @cap-js/sqlite, the configuration allowed any workflow within the cap-js/cds-dbs repository to request an OIDC token, rather than restricting permissions to a specific, canonical release workflow. This allowed an attacker to use a modified workflow on a non-main branch to publish malicious packages without provenance.

Impact / Why It Matters

This attack poses a critical risk to developer workstations and CI/CD environments by enabling automated lateral movement and the theft of high-privilege cloud and repository credentials. Organizations should audit dependency trees for the affected versions and ensure that OIDC-based publishing configurations are strictly limited to authorized workflows.

security npm supply-chain-attack

↳ Sources