{"id":759,"date":"2026-04-29T16:54:28","date_gmt":"2026-04-29T16:54:28","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=759"},"modified":"2026-04-29T16:54:28","modified_gmt":"2026-04-29T16:54:28","slug":"sap-related-npm-packages-compromised-in-credential-stealing-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=759","title":{"rendered":"SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 29, 2026<\/span><\/span><span class=\"p-tags\">Supply Chain Attack \/ Malware<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhoviEyxWTNHg8ARy1a-r9k4-LpHIhfCKGFL71YHc6H2v8XiyHbkvdsU26IC8jHa304gwz8zE9dXXWcL8NaA5X5KRLIWFDpxB1hjQU1af_B6uGEEr3i_RNOub2DSShyphenhyphenBXp0C3p6343TffijodxMsHVFQ-Dc9jPPApgk1uluKVP8NzUHtx1yd50YLkSw6z6G\/s1700-e365\/saps.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware.<\/p>\n<p>According to reports from <a href=\"https:\/\/www.aikido.dev\/blog\/mini-shai-hulud-has-appeared\">Aikido Security<\/a>, <a href=\"https:\/\/safedep.io\/mini-shai-hulud-and-sap-compromise\/\">SafeDep<\/a>, <a href=\"https:\/\/socket.dev\/blog\/sap-cap-npm-packages-supply-chain-attack\">Socket<\/a>, <a href=\"https:\/\/www.stepsecurity.io\/blog\/a-mini-shai-hulud-has-appeared\">StepSecurity<\/a>, and Google-owned <a href=\"https:\/\/www.wiz.io\/blog\/mini-shai-hulud-supply-chain-sap-npm\">Wiz<\/a>, the campaign \u2013 calling itself the <strong>mini Shai-Hulud<\/strong> \u2013 has affected the <a href=\"https:\/\/socket.dev\/supply-chain-attacks\/sap-cap-npm-packages-hit-by-supply-chain-attack\">following packages<\/a> associated with SAP&#8217;s JavaScript and cloud application development ecosystem &#8211;<\/p>\n<ul>\n<li>mbt@1.2.48<\/li>\n<li>@cap-js\/db-service@2.10.1<\/li>\n<li>@cap-js\/postgres@2.2.2<\/li>\n<li>@cap-js\/sqlite@2.2.2<\/li>\n<\/ul>\n<p>\u00abThe affected versions introduced new installation-time behavior that was not previously part of these packages&#8217; expected functionality,\u00bb Socket said. \u00abThe compromised releases added a preinstall script that acts as a runtime bootstrapper, downloading a platform-specific Bun ZIP from GitHub Releases, extracting it, and immediately executing the extracted Bun binary.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-security-guide-d-1\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjRxP56rpa2W0O_0yc0xgs5l2r4FRV4Wiuq3IqWuFdsd_4g1c3oRVXoHtW9gxo8ObuxmyjqkAf3cD6N1JbVDos7QX99ZHtmeVrg-FUzSnMZLTl1ZFyiSkpqQiw6BcHXz52jr3s42xWEDFOpwWK6HgXOqscGMNkhA5pZK7h6zVV4dpDaLfgy17TidZXVrtUB\/s728-e100\/nudge-d-1.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abThe implementation also follows HTTP redirects without validating the destination and uses PowerShell with -ExecutionPolicy Bypass on Windows, increasing the risk for affected developer and CI\/CD environments.\u00bb<\/p>\n<p>Wiz noted that the malicious packages match several features present in previous TeamPCP operations, indicating that the same threat actor is likely behind the latest campaign.<\/p>\n<p>The suspicious versions were published on April 29, 2026, between 09:55 UTC and 12:14 UTC. The poisoned packages introduce a new package.json preinstall hook that runs a file named \u00absetup.mjs,\u00bb which acts as a loader for the Bun JavaScript runtime to execute the credential stealer and propagation framework (\u00abexecution.js\u00bb).<\/p>\n<p>According to Aikido, the malware is designed to harvest local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. The stolen data is encrypted and exfiltrated to public GitHub repositories created on the victim&#8217;s own account with the description \u00abA Mini Shai-Hulud has Appeared.\u00bb As of writing, there are more than <a href=\"https:\/\/github.com\/search?q=%22A%20Mini%20Shai-Hulud%20has%20Appeared%22&amp;type=repositories\">1,100 repositories<\/a> with descriptions.<\/p>\n<p>In addition, the 11.6 MB payload comes with capabilities to self-propagate through developer and release workflows, specifically using the GitHub and npm tokens to inject a malicious GitHub Actions workflow into the victim&#8217;s repositories to steal repository secrets and publish poisoned versions of the npm packages to the registry.<\/p>\n<p>However, the latest incident bears significant differences from prior Shai-Hulud waves &#8211;<\/p>\n<ul>\n<li>All exfiltrated data is encrypted with AES-256-GCM and encapsulates the key using RSA-4096 with a public key embedded in the payload, effectively making it decipherable only to the attacker.<\/li>\n<li>It exists on Russian-locale systems.<\/li>\n<li>The payload commits itself into every accessible GitHub repository by injecting a \u00ab.claude\/settings.json\u00bb file that abuses Claude Code&#8217;s SessionStart hook and a \u00ab.vscode\/tasks.json\u00bb file with \u00abrunOn\u00bb: \u00abfolderOpen\u00bb setting so that any attempt to open the infected repository in Microsoft Visual Studio Code (VS Code) or Claude Code causes the malware to be executed.<\/li>\n<\/ul>\n<p>\u00abThis is one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector,\u00bb StepSecurity said.<\/p>\n<p>Further analysis into the root cause has revealed that the attackers compromised RoshniNaveenaS&#8217;s account for the three \u00ab@cap-js\u00bb packages, followed by pushing a modified workflow to a non-main branch and using the extracted npm OIDC token to publish the malicious packages without provenance. As for mbt, it&#8217;s suspected to involve the compromise of the \u00abcloudmtabot\u00bb static npm token through an as-yet-undetermined channel.<\/p>\n<p>\u00abThe cds-dbs team migrated to npm OIDC trusted publishing in November 2025,\u00bb SafeDep said. \u00abUnder this setup, GitHub Actions can request a short-lived npm token without storing any long-lived secrets in the repository. The attacker reproduced this exchange manually in a CI step and printed the resulting token.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abThe critical configuration gap: npm\u2019s OIDC trusted publisher configuration for @cap-js\/sqlite trusted any workflow in cap-js\/cds-dbs, not just the canonical release-please.yml on main. A branch push could exchange an OIDC token on behalf of the package if the workflow had id-token: write permission and the environment: npm reference.\u00bb<\/p>\n<p>In response to the incident, the <a href=\"https:\/\/github.com\/SAP\/cloud-mta-build-tool\">maintainers<\/a> of the packages have <a href=\"https:\/\/github.com\/cap-js\/cds-dbs\/\">released<\/a> new safe versions that supersede the compromised releases &#8211;<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 29, 2026Supply Chain Attack \/ Malware Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware. According to&hellip;<\/p>\n","protected":false},"author":1,"featured_media":760,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[220,219,227,642,39,35,1471,218],"class_list":["post-759","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-attack","tag-chain","tag-compromised","tag-credentialstealing","tag-npm","tag-packages","tag-saprelated","tag-supply"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=759"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/759\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/760"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}