SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack
تعرض حزم npm التابعة لـ SAP لهجمة Supply Chain سميتها "mini Shai-Hulud"
SAP-Related npm Packages Compromised in "mini Shai-Hulud" Supply Chain Attack
TL;DR: A sophisticated supply chain attack named "mini Shai-Hulud" recently targeted SAP’s JavaScript ecosystem via four compromised npm packages. The malware, linked to the threat actor TeamPCP, steals cloud credentials and browser passwords, while specifically targeting AI coding tools like Claude Code and VS Code for persistence. Moroccan development teams using SAP’s Cloud Application Programming (CAP) model should immediately verify their package versions and audit their GitHub/npm OIDC configurations.
The Scope of the Compromise
Security researchers from several firms—including Wiz, Socket, and OX Security—have identified a targeted supply chain attack affecting key packages in the SAP development ecosystem. The attack, which occurred on April 29, 2026, involves the injection of malicious code into legitimate libraries used for database services and cloud deployment.
The following specific package versions are confirmed to be compromised:
mbt@ 1.2.48@cap-js/db-service@ 2.10.1@cap-js/postgres@ 2.2.2@cap-js/sqlite@ 2.2.2
The malware is designed to steal highly sensitive data, including GitHub and npm tokens, GitHub Actions secrets, and cloud credentials for AWS, Azure, GCP, and Kubernetes.
How the Attack Works: From Bun to Shai-Hulud
When a developer or a CI/CD system installs one of these compromised versions, a preinstall hook in the package.json triggers a script named setup.mjs. This script acts as a bootstrapper that downloads the Bun JavaScript runtime (a high-performance alternative to Node.js) from GitHub Releases to execute the primary malware payload, execution.js.
A notable feature of this campaign—which researchers have dubbed "mini Shai-Hulud"—is how it handles stolen data. Rather than sending secrets to a private server, it encrypts the data (using AES-256-GCM and RSA-4096) and uploads it to new public GitHub repositories created on the victim's own account. These repositories are typically given the description: "A Mini Shai-Hulud has Appeared." To date, over 1,100 such repositories have been discovered.
Targeting AI Coding Agents and IDEs
In a significant shift for supply chain attacks, the Shai-Hulud malware targets modern developer workflows for persistence. It attempts to inject malicious configurations into project folders:
- .claude/settings.json: Abuses the
SessionStarthook in Claude Code (an AI coding agent). - .vscode/tasks.json: Uses the
"runOn": "folderOpen"setting in Visual Studio Code.
This means that simply opening an infected project folder in your IDE or starting an AI-assisted coding session could re-trigger the malware execution.
The Root Cause: OIDC Configuration Gaps
The exploitation of the @cap-js packages highlights a critical lesson in modern DevOps security. Since November 2025, the maintainers had been using OIDC (OpenID Connect) for "trusted publishing," a method meant to eliminate long-lived secrets.
However, researchers found a configuration gap: npm’s OIDC trusted publisher for @cap-js/sqlite was configured to trust any workflow in the repository, rather than just the official release workflow on the main branch. This allowed the threat actor (suspected to be TeamPCP) to push a modified workflow to a non-main branch, request a short-lived OIDC token, and publish the malicious package versions.
For the mbt package, the compromise is suspected to involve a static npm token named cloudmtabot, though the exact channel of that leak remains undetermined.
Recommended Mitigations for Moroccan Teams
If your work involves SAP cloud development or the CAP model, take the following steps immediately:
- Update Packages: Ensure you are running the patched versions released by the maintainers:
- sqlite: v2.4.0 or v2.3.0
- postgres: v2.3.0 or v2.2.2
- hana: v2.8.0 or v2.7.2
- db-service: v2.10.1
- mbt: v1.2.49
- Audit OIDC Settings: If you use GitHub Actions to publish to npm, restrict OIDC trusted publishing to specific, canonical release workflows on main branches only. Do not allow tokens to be generated from arbitrary branches.
- Check for "Dune" Repositories: Inspect your GitHub account for any unexpected public repositories with the "Shai-Hulud" description.
- Rotate Credentials: Because the malware harvests browser-stored passwords and cloud keys, assume any credentials stored on an infected machine have been compromised.
Conclusion
The "mini Shai-Hulud" campaign proves that even modern security features like OIDC can be bypassed if misconfigured. By leveraging GitHub as its command-and-control (C2) infrastructure and targeting AI tools like Claude Code, TeamPCP has demonstrated a sophisticated understanding of the modern developer's environment. For Moroccan tech leads and sysadmins, this is a reminder that supply chain security is not a "set and forget" task, but a continuous process of auditing permissions and dependencies.
Source: SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack
