SAP npm Packages Hacked to Steal Developer & CI/ Compromised Harvest

A new supply chain attack, dubbed “mini Shai Hulud,” has compromised four SAP-related npm packages. This incident involved the injection of malicious preinstall scripts, which execute silently during dependency installation within targeted developer environments and CI/CD pipelines. The attack specifically aims to steal credentials for platforms such as GitHub, npm, and major cloud providers.

Security researchers at StepSecurity, Aikido Security, SafeDep, Socket, and Wiz identified that malicious versions of legitimate SAP Cloud Application Programming Model (CAP) ecosystem packages — including @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt — were published with a weaponized preinstall hook inside package.json.

Unlike its predecessor campaigns, this attack employs a novel evasion twist: instead of relying on Node.js to run the payload, the dropper script (setup.mjs) downloads the Bun JavaScript runtime at install time and uses it to execute a heavily obfuscated 11 MB second-stage payload (execution.js).

This architectural choice is intentional Bun execution patterns are largely outside the detection scope of most static analysis and Node.js-focused security tooling.

Multi-Stage Payload and Credential Theft

Once setup.mjs is triggered, it fetches and launches execution.js, a full-featured credential stealer and self-propagation framework. When deobfuscated, the second-stage payload systematically harvests:

• GitHub tokens and npm credentials from developer workstations
• Cloud provider secrets — AWS, Azure, and GCP environment variables
• Kubernetes tokens and service account credentials
• GitHub Actions secrets, including runtime secrets extracted directly from the runner memory

Stolen data is encrypted and exfiltrated via attacker-controlled public GitHub repositories, following the same exfiltration pattern established by the original Shai-Hulud campaign.

The malware also contains propagation logic: using any stolen npm tokens, it identifies other packages under the compromised maintainer’s account, injects malicious code, and republishes them, enabling exponential, automated spread across the npm ecosystem without actor intervention.

During initialization, the malware performs a targeted geofencing check — inspecting the system’s date/time locale settings and environment language variables for values beginning with 'ru'.

If the system is configured for the Russian language, the malware immediately self-terminates, ensuring no data is exfiltrated from Russian-speaking environments. This deliberate exclusion is a recurring fingerprint across TeamPCP campaigns.

Researchers attribute this campaign to TeamPCP with high confidence, noting multiple overlapping technical signatures with previously documented TeamPCP operations targeting packages such as Trivy, LiteLLM, and Checkmarx KICS. Key attribution indicators include:

• The same __decodeScrambled cipher used to encode secrets before posting to exfiltration repositories
• Identical Russian-language early-exit logic
• Shared dropper (setup.mjs — SHA256: 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34) present across all four packages
• Consistent infrastructure abuse patterns: install-time execution, off-host exfiltration, and canister-backed self-propagation.

Affected Packages and IOCs

The shared dropper setup.mjs (SHA1: 307d0fa7407d40e67d14e9d5a4c61ac5b4f20431) is present in all four packages.

The execution.js payload for @cap-js/postgres and @cap-js/db-service is identical (SHA256: eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb).

Organizations using SAP CAP tooling should immediately audit CI/CD pipeline dependencies, rotate any secrets present in affected environments, and block the specific compromised versions listed above.

Defenders should also monitor for unexpected Bun runtime downloads during npm install operations, as this behavior is a novel indicator specific to this campaign. Responsible disclosure has been made to the maintainers of all affected packages.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.