Critical SAP npm Vulnerabilities Let Attackers Steal GitHub, Cloud, AI Secrets
Key Takeaways A sophisticated supply chain attack, dubbed “Mini Shai-Hulud,” is actively targeting the SAP developer ecosystem through malicious npm packages. The worm is designed to...
Key Takeaways
- A sophisticated supply chain attack, dubbed “Mini Shai-Hulud,” is actively targeting the SAP developer ecosystem through malicious npm packages.
- The worm is designed to steal sensitive credentials, including GitHub tokens, cloud platform access keys (AWS, Google Cloud, Azure), and secrets from AI coding tools.
- Four official SAP npm packages were compromised:
mbt,@cap-js/sqlite,@cap-js/postgres, and@cap-js/db-service. - Developers and CI/CD pipelines that installed specific malicious versions of these packages are at high risk of full credential compromise.
- Immediate action is required to identify compromised systems, revoke exposed credentials, and implement enhanced security measures.
Attackers Leverage Malicious npm Packages to Compromise SAP Developer Ecosystem
A new, critical supply chain attack has been identified, actively compromising the SAP developer ecosystem. This campaign utilizes poisoned npm packages to infiltrate systems and exfiltrate highly sensitive data, including credentials for GitHub, various cloud platforms, and AI coding tools. The details of this sophisticated operation were recently unveiled in a comprehensive report.
Table Of Content
- Key Takeaways
- Attackers Leverage Malicious npm Packages to Compromise SAP Developer Ecosystem
- The “Mini Shai-Hulud” Worm
- Tracing the Threat Actor
- How the Worm Collects and Exfiltrates Credentials
- npm Token Harvesting
- GitHub and Cloud Credential Collection
- AI Coding Tool and CI Environment Targeting
- What You Should Do
The “Mini Shai-Hulud” Worm
The malicious campaign employs a worm known as “Mini Shai-Hulud.” This stealthy malware activates a preinstall script that executes silently before an npm install command fully completes. Its primary objective is to steal credentials from developer workstations, cloud environments, and AI-assisted coding tools.
The attack specifically targeted four legitimate, SAP-published npm packages:
mbt(malicious version: 1.2.48, last clean version: 1.2.47)@cap-js/sqlite(malicious version: 2.2.2, last clean version: 2.2.1)@cap-js/postgres(malicious version: 2.2.2, last clean version: 2.2.1)@cap-js/db-service(malicious version: 2.10.1, last clean version: 2.10.0)
When a developer or a CI/CD pipeline executes npm install on one of these compromised versions, a hidden setup.mjs script is triggered. This script downloads the Bun JavaScript runtime and then executes an obfuscated 11.7 MB payload named execution.js, which then proceeds to steal credentials without relying on Node.js.
Tracing the Threat Actor
Analysts at Endor Labs were instrumental in identifying this malware as a direct evolution of the original Shai-Hulud worm, which was first documented in April 2025. The researchers observed significant commonalities between the two campaigns, including the use of the same Bun v1.3.13 runtime bootstrap, an identical custom cipher family (ctf-scramble-v2), and the same PBKDF2 key (5012caa5847ae…). These shared indicators strongly suggest that the same threat actor is behind this new offensive, targeting SAP’s CAP and MTA developer ecosystems with a refined focus on credential theft and a different propagation method.
These four affected packages are integral to the dependency trees of CAP-based applications widely deployed across SAP BTP. Consequently, any developer who installed a compromised version on a machine containing cloud credentials or GitHub tokens should assume all secrets on that host have been fully exposed.
How the Worm Collects and Exfiltrates Credentials
The malicious payload operates by deploying five distinct credential harvesting modules in parallel, designed to maximize data exfiltration.
npm Token Harvesting
The first module targets npm tokens. It systematically scans npmrc files located in the user’s home directory, the project root, and within CI environment variables. Crucially, collected tokens are then validated against the npm registry API to verify their publishing capabilities, as only publish-enabled tokens facilitate the worm’s replication and broader spread.
GitHub and Cloud Credential Collection
The second and third modules focus on GitHub and cloud service credentials. On Linux systems, the payload attempts to read /proc/{pid}/mem to extract in-memory secrets from GitHub Actions. It also performs a comprehensive sweep of AWS credential files, queries GetCallerIdentity for IAM context, scans Google Cloud Secret Manager, reads Kubernetes service account JSON files, and collects Azure Key Vault credentials.
AI Coding Tool and CI Environment Targeting
The fourth collector is specifically designed to target AI coding tools. The payload checks 136 hardcoded paths for configuration files related to Claude Code (e.g., project/.claude/settings.json) and VS Code task files (project/.vscode/tasks.json). It also targets Cursor IDE state files, shell history, .env files, and SSH private keys. In continuous integration environments, the worm expands its reach to over 25 platforms, including popular services like Jenkins, Travis, and Azure Pipelines.
Indicators of compromise (IoCs) related to persistence include:
project/.claude/execution.js: An 11.6 MB copy of the payload for persistence.project/.claude/settings.json: Presence of aSessionStarthook.project/.vscode/tasks.json: AfolderOpentrigger pointing to the.claude/directory.project/.github/workflows/format-check.yml: An injected workflow designed for credential exfiltration.
All exfiltrated data is encrypted using AES-256-GCM. The encryption key is then wrapped with the attacker’s RSA-4096 public key before the encrypted data is uploaded to a GitHub “dead-drop” repository. This repository is created using the victim’s own stolen GitHub account, effectively turning the victim’s account into an exfiltration channel.
What You Should Do
- Assume Full Compromise: If any of the listed malicious versions were installed on a system, consider all secrets on that host to be fully compromised.
- Uninstall and Reinstall: Immediately uninstall each affected package. Reinstall the clean versions using the
--ignore-scriptsflag to prevent any preinstall scripts from executing. - Scan for IoCs: Search all projects on affected machines for the following indicators:
execution.jsfiles larger than 5 MB..claude/settings.jsonfiles containing aSessionStarthook.- Any
format-check.ymlworkflow file not authored by your team.
- Revoke All Credentials: Urgently revoke all potentially exposed credentials from the affected host. This includes, but is not limited to, npm publish tokens, GitHub Personal Access Tokens (PATs), AWS IAM keys, Google Cloud service account credentials, Azure client secrets, SSH private keys, and the contents of all
.envfiles. - Enhance CI/CD Security: For long-term defense, scope npm OIDC trusted publishing to specific workflow files on specific branches, rather than granting broad repository-wide access.
- Enforce Script Ignoring: Mandate the use of the
--ignore-scriptsflag for allnpm installcommands in CI/CD pipelines. - Regular Dependency Audits: Review lifecycle hooks during routine dependency audits to identify any suspicious or unexpected script executions. The rapid detection window of approximately two hours for this attack highlights that reactive takedowns alone are insufficient protection.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.