SAP npm Packages Steal GitHub, Cloud, Attackers Weaponize
A new supply chain attack is actively targeting the SAP developer ecosystem, leveraging poisoned npm packages to compromise systems. Attackers are weaponizing these malicious packages to steal...
A new supply chain attack is actively targeting the SAP developer ecosystem, leveraging poisoned npm packages to compromise systems. Attackers are weaponizing these malicious packages to steal sensitive data, including GitHub, cloud, and AI coding tool secrets, as detailed in a recent report <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct
The campaign uses a malicious worm called “Mini Shai-Hulud,” which runs silently before any npm install completes and steals credentials from developer machines, cloud platforms, and AI coding tools.
The attack hit four official SAP-published packages: mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service.
When a developer or CI pipeline runs npm install on a compromised version, a hidden preinstall script called setup.mjs fires before installation finishes.
That script downloads the Bun JavaScript runtime and executes an 11.7 MB obfuscated payload named execution.js, which carries out credential theft without touching Node.js at all.
Endor Labs analysts identified the malware as a direct descendant of the original Shai-Hulud worm documented in April 2025.
The researchers noted that Mini Shai-Hulud shares the same Bun v1.3.13 runtime bootstrap, the same custom cipher family (ctf-scramble-v2), and the same PBKDF2 key (5012caa5847ae…) as the earlier campaign.
These shared markers confirm the same threat actor is running a fresh campaign against SAP’s CAP and MTA developer ecosystem with a narrower credential surface and a different propagation keyword.
The four packages sit in the dependency trees of CAP-based applications used broadly across SAP BTP. Any developer who installed a compromised version on a machine holding cloud credentials or GitHub tokens should treat every secret on that host as fully exposed.
| Package | Malicious Version | Last Clean Version |
|---|---|---|
| mbt | 1.2.48 | 1.2.47 |
| @cap-js/sqlite | 2.2.2 | 2.2.1 |
| @cap-js/postgres | 2.2.2 | 2.2.1 |
| @cap-js/db-service | 2.10.1 | 2.10.0 |
How the Worm Collects and Exfiltrates Credentials
The payload runs five credential harvesters in parallel. The first targets npm tokens by scanning npmrc files in the user home, project root, and CI environment variables.
Collected tokens are validated against the npm registry API to confirm publish rights, since only publish-capable tokens allow worm replication.
The second and third collectors sweep GitHub and cloud credentials. On Linux hosts, the payload reads /proc/{pid}/mem to pull GitHub Actions in-memory secrets.
It also scans AWS credential files, queries GetCallerIdentity for IAM context, sweeps Google Cloud Secret Manager, reads Kubernetes service account JSON files, and collects Azure Key Vault credentials.
The fourth collector targets AI coding tools. The payload checks 136 hardcoded paths for Claude Code settings (project/.claude/settings.json) and VS Code task files (project/.vscode/tasks.json), along with Cursor IDE state, shell history, .env files, and SSH private keys.
In CI environments, it sweeps across more than 25 platforms including Jenkins, Travis, and Azure Pipelines.
| Path | Indicator |
|---|---|
| project/.claude/execution.js | 11.6 MB persistence copy of payload |
| project/.claude/settings.json | SessionStart hook present |
| project/.vscode/tasks.json | folderOpen trigger pointing to .claude/ |
| project/.github/workflows/format-check.yml | Injected credential exfiltration workflow |
All collected data is encrypted with AES-256-GCM and the key is wrapped with the attacker’s RSA-4096 public key before uploading to a GitHub dead-drop repository created from the victim’s own stolen account.
If any compromised version was installed, treat the event as a full credential compromise. Uninstall each affected package and reinstall the clean version using the –ignore-scripts flag.
Search all projects on the affected machine for execution.js files over 5 MB, .claude/settings.json files with a SessionStart hook, and any format-check.yml workflow your team did not author.
Revoke all secrets from the affected host, including npm publish tokens, GitHub PATs, AWS IAM keys, Google Cloud service account credentials, Azure client secrets, SSH private keys, and all .env file contents.
For long-term defense, scope npm OIDC trusted publishing to a specific workflow file on a specific branch, not the entire repository.
Enforce –ignore-scripts in CI installs and review lifecycle hooks during dependency audits. The detection window was roughly two hours, meaning reactive takedowns are not a reliable protection on their own.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.