Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Fake VLC Installer Delivers ValleyRAT Malware
July 2, 2026
Microsoft Outlook Bug Removes Copilot Button for Windows Users
July 2, 2026
Home/CyberSecurity News/Critical SAP npm Package Vulnerabilities Expose Developer and CI/CD Secrets
CyberSecurity News

Critical SAP npm Package Vulnerabilities Expose Developer and CI/CD Secrets

Key Takeaways A new supply chain attack, dubbed “mini Shai Hulud,” compromised four critical SAP npm packages. Malicious preinstall scripts were injected into developer environments and...

Jennifer sherman
Jennifer sherman
April 29, 2026 4 Min Read
49 0

Key Takeaways

  • A new supply chain attack, dubbed “mini Shai Hulud,” compromised four critical SAP npm packages.
  • Malicious preinstall scripts were injected into developer environments and CI/CD pipelines to steal credentials for GitHub, npm, and major cloud providers.
  • The attack uses the Bun JavaScript runtime for execution, bypassing traditional Node.js security tooling.
  • The malware includes self-propagation capabilities and a geofencing check that terminates execution in Russian-language environments.
  • Organizations using SAP Cloud Application Programming Model (CAP) tooling must audit dependencies, rotate secrets, and block compromised package versions immediately.

A sophisticated supply chain attack, dubbed “mini Shai Hulud,” has been uncovered, targeting four widely used npm packages associated with SAP’s Cloud Application Programming Model (CAP). This incident involves the surreptitious injection of malicious scripts into developer environments and CI/CD pipelines, designed to exfiltrate sensitive credentials from platforms like GitHub, npm, and leading cloud providers.

Table Of Content

  • Key Takeaways
  • Multi-Stage Payload and Credential Theft
  • Affected Packages and IOCs
  • What You Should Do

Researchers from StepSecurity, Aikido Security, SafeDep, Socket, and Wiz collaboratively identified that compromised versions of legitimate SAP CAP ecosystem packages—specifically @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt—were published containing a weaponized preinstall hook within their package.json files. This hook executes automatically during dependency installation, making the attack highly stealthy.

Distinguishing itself from previous campaigns, this iteration of “mini Shai Hulud” introduces a novel evasion technique. Rather than relying on Node.js to execute its payload, the dropper script, named setup.mjs, downloads and utilizes the Bun JavaScript runtime at the time of installation. This runtime is then employed to execute a heavily obfuscated, 11 MB second-stage payload, execution.js.

This deliberate architectural choice to leverage Bun is strategic. Execution patterns involving Bun largely fall outside the typical detection capabilities of most static analysis tools and security solutions primarily focused on Node.js environments, providing a significant advantage to the attackers.

Multi-Stage Payload and Credential Theft

Upon activation, the setup.mjs script retrieves and launches execution.js, which functions as a comprehensive credential stealer and self-propagation framework. Once deobfuscated, this second-stage payload systematically collects a wide array of sensitive information:

  • GitHub tokens and npm credentials from developer workstations.
  • Cloud provider secrets, including environment variables for AWS, Azure, and GCP.
  • Kubernetes tokens and service account credentials.
  • GitHub Actions secrets, even extracting runtime secrets directly from runner memory.

The stolen data is subsequently encrypted and exfiltrated via public GitHub repositories controlled by the attackers, mirroring the exfiltration methods observed in the original Shai-Hulud campaign.

The malware also incorporates propagation logic. Using any stolen npm tokens, it identifies other packages managed by the compromised maintainer’s account, injects malicious code, and then republishes them. This mechanism facilitates an exponential, automated spread throughout the npm ecosystem without requiring direct intervention from the threat actors.

During its initial setup, the malware performs a targeted geofencing check. It examines the system’s date/time locale settings and environment language variables for any values starting with 'ru'. If a Russian language configuration is detected, the malware immediately self-terminates, preventing any data exfiltration from Russian-speaking environments. This specific exclusion is a consistent hallmark across campaigns attributed to TeamPCP.

Researchers have attributed this campaign to TeamPCP with high confidence, citing multiple technical overlaps with previously documented TeamPCP operations that targeted packages such as Trivy, LiteLLM, and Checkmarx KICS. Key indicators supporting this attribution include:

  • The use of the identical __decodeScrambled cipher for encoding secrets before posting them to exfiltration repositories.
  • The presence of the same Russian-language early-exit logic.
  • A shared dropper (setup.mjs — SHA256: 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34) found across all four compromised packages.
  • Consistent infrastructure abuse patterns, including install-time execution, off-host exfiltration, and canister-backed self-propagation.

Affected Packages and IOCs

Package Version Tarball SHA256
@cap-js/postgres 2.2.2 1d9e4ece8e13c8eaf94cb858470d1bd8f81bb58f62583552303774fa1579edee
@cap-js/db-service 2.10.1 258257560fe2f1c2cc3924eae40718c829085b52ae3436b4e46d2565f6996271
@cap-js/sqlite 2.2.2 a1da198bb4e883d077a0e13351bf2c3acdea10497152292e873d79d4f7420211
mbt 1.2.48 86282ebcd3bebf50f087f2c6b00c62caa667cdcb53558033d85acd39e3d88b41

The common dropper setup.mjs (SHA1: 307d0fa7407d40e67d14e9d5a4c61ac5b4f20431) is embedded within all four identified packages. The execution.js payload for both @cap-js/postgres and @cap-js/db-service is identical (SHA256: eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb).

Responsible disclosure has been made to the maintainers of all affected packages.

What You Should Do

  • Audit Dependencies: Immediately review and audit all CI/CD pipeline dependencies for the compromised versions of @cap-js/postgres (2.2.2), @cap-js/db-service (2.10.1), @cap-js/sqlite (2.2.2), and mbt (1.2.48).
  • Block Compromised Versions: Configure your package managers and dependency resolvers to explicitly block the installation and use of the specific malicious versions listed.
  • Rotate Credentials: Assume compromise for all secrets present in environments where these packages were used. Promptly rotate all GitHub tokens, npm credentials, cloud provider secrets (AWS, Azure, GCP), Kubernetes tokens, and GitHub Actions secrets.
  • Monitor for Bun Runtime: Implement monitoring for unexpected downloads or executions of the Bun JavaScript runtime during npm install operations, as this is a unique indicator of this campaign.
  • Review Security Tooling: Evaluate your existing static analysis and runtime security tooling to ensure it can detect and analyze threats involving alternative JavaScript runtimes like Bun.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurity

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Lazarus Hackers Target macOS Users With New Mach-O Man Malware

Next Post

Critical Linux Kernel Vulnerability CVE-2023-4911 Allows Root Access

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
July 2, 2026
Cisco Catalyst Center Vulnerability Allows Remote Attackers to Read Arbitrary Files
July 2, 2026
Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us