Security experts have raised concerns regarding a fresh supply chain attack aimed at SAP-linked npm packages, deploying malware specifically crafted to pilfer sensitive credentials.
Findings from Aikido Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz reveal that the attack, dubbed mini Shai-Hulud, has impacted the following packages tied to SAP’s JavaScript and cloud development tools:
- mbt@1.2.48
- @cap-js/db-service@2.10.1
- @cap-js/postgres@2.2.2
- @cap-js/sqlite@2.2.2
“The compromised versions introduced a fresh installation step that wasn’t originally part of these packages’ standard behavior,” Socket explained. “The tainted releases included a preinstall script designed to fetch a platform-specific Bun ZIP from GitHub Releases, unpack it, and run the extracted Bun binary immediately.”
“The setup also blindly follows HTTP redirects without verifying the destination, and executes PowerShell with -ExecutionPolicy Bypass on Windows, raising the risk for developers and CI/CD systems affected.”
Wiz highlighted that the harmful packages share traits with earlier TeamPCP campaigns, implying that the same threat group is likely responsible for the latest offensive.
The questionable versions were pushed on April 29, 2026, from 09:55 UTC through 12:14 UTC. The compromised packages feature a new preinstall hook in package.json that launches a script called “setup.mjs,” which initiates the Bun JavaScript runtime to run both a credential stealer and a propagation engine (“execution.js”).
Based on Aikido’s analysis, the malware is engineered to seize developer credentials locally, along with GitHub and npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, GCP, and Kubernetes. The pilfered information is encrypted and sent to public GitHub repositories automatically created under the victim’s account bearing the title “A Mini Shai-Hulud has Appeared.” Currently, more than 1,100 such repositories exist with this description.
Additionally, the malware payload—weighing in at 11.6 MB—has the ability to expand its reach through both developer and release operations. It leverages stolen GitHub and npm tokens to insert a malignant GitHub Actions workflow into the victim’s repositories, exfiltrating repository secrets and injecting corrupted versions of npm packages into the registry.
Yet, this recent event differs notably from earlier Shai-Hulud outbreaks:
- All pilfered data is secured using AES-256-GCM encryption, with keys wrapped via RSA-4096 using a fixed public key buried within the payload—making it impossible for anyone but the attacker to decrypt.
- The malware automatically halts when it detects a Russian-locale system.
The payload embeds itself into every accessible GitHub repository by injecting a “.claude/settings.json” file that exploits Claude Code’s SessionStart hook and a “.vscode/tasks.json” file with “runOn”: “folderOpen” settings. This means opening the infected repository in either Microsoft Visual Studio Code (VS Code) or Claude Code triggers the malware.
“This marks one of the first documented supply chain attacks to exploit AI coding agent configurations as a means for both persistence and spreading,” StepSecurity commented.
Wiz also stressed that the Russian locale check mirrors techniques seen in the recent Checkmarx and Bitwarden breaches, noting that the campaign also utilizes a TeamPCP-associated shared RSA public key for encrypting the data it collects.
“This SAP-related campaign goes further by stealing credentials from several major browsers—including Chrome, Safari, Edge, Brave, and Chromium—and uploading any passwords discovered,” Wiz researchers added. “This capability hadn’t surfaced in earlier operations. While using GitHub-based exfiltration to ‘Dune’-themed repos served as a fallback command-and-control option for the Bitwarden CLI attack, it’s now the primary approach used.”
Digging deeper into the origins has shown that the attackers gained access to RoshniNaveenaS’s account to manage the three “@cap-js” packages. They then pushed a modified workflow to a non-main branch and leveraged the extracted npm OIDC token to publish the rogue packages without proper provenance. Regarding the mbt package, it’s suspected that the “cloudmtabot” static npm token was compromised, though the exact method remains unclear.
“The cds-dbs team transitioned to npm OIDC trusted publishing in November 2025,” SafeDep noted. “This arrangement enables GitHub Actions to generate short-lived npm tokens without persisting long-lived secrets in the repository. The attackers duplicated this process manually within a CI step and captured the resulting token they printed out.”
“The major vulnerability here lay in npm’s OIDC trusted publisher setup for @cap-js/sqlite, which trusted any workflow running in cap-js/cds-dbs, not just the designated release-please.yml on the main branch. By simply pushing to a branch, an attacker could exchange an OIDC token on behalf of the package, provided the workflow had ‘id-token: write’ permissions and the ‘environment: npm’ reference.”
Following the incident, the package maintainers have released updated, secure versions to replace the vulnerable releases –
