SAP npm Packages Compromised by “Mini Shai-Hulud” Credential-Stealing Malware  Ravie Lakshmanan  Apr 29, 2026 Supply Chain Attack / Malware Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware. According to reports from Aikido Security , SafeDep , Socket , StepSecurity , and Google-owned Wiz , the campaign – calling itself the mini Shai-Hulud – has affected the following packages associated with SAP's JavaScript and cloud application development ecosystem - mbt@1.2.48 @cap-js/db-service@2.10.1 @cap-js/postgres@2.2.2 @cap-js/sqlite@2.2.2 "The affected versions introduced new installation-time behavior that was not previously part of these packages' expected functionality," Socket said. "The compromised releases added a preinstall script that acts as a runtime bootstrapper, downloading a platform-specific Bun ZIP from GitHub Releases, extracting it, and immediately executing the extracted Bun binary." "The implementation also follows HTTP redirects without validating the destination and uses PowerShell with -ExecutionPolicy Bypass on Windows, increasing the risk for affected developer and CI/CD environments." Wiz noted that the malicious packages match several features present in previous TeamPCP operations, indicating that the same threat actor is likely behind the latest campaign. The suspicious versions were published on April 29, 2026, between 09:55 UTC and 12:14 UTC. The poisoned packages introduce a new package.json preinstall hook that runs a file named "setup.mjs," which acts as a loader for the Bun JavaScript runtime to execute the credential stealer and propagation framework ("execution.js"). According to Aikido, the malware is designed to harvest local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. The stolen data is encrypted and exfiltrated to public GitHub repositories created on the victim's own account with the description "A Mini Shai-Hulud has Appeared." As of writing, there are more than 1,100 repositories with descriptions. In addition, the 11.6 MB payload comes with capabilities to self-propagate through developer and release workflows, specifically using the GitHub and npm tokens to inject a malicious GitHub Actions workflow into the victim's repositories to steal repository secrets and publish poisoned versions of the npm packages to the registry. However, the latest incident bears significant differences from prior Shai-Hulud waves - All exfiltrated data is encrypted with AES-256-GCM and encapsulates the key using RSA-4096 with a public key embedded in the payload, effectively making it decipherable only to the attacker. It exists on Russian-locale systems. The payload commits itself into every accessible GitHub repository by injecting a ".claude/settings.json" file that abuses Claude Code's SessionStart hook and a ".vscode/tasks.json" file with "runOn": "folderOpen" setting so that any attempt to open the infected repository in Microsoft Visual Studio Code (VS Code) or Claude Code causes the malware to be executed. "This is one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector," StepSecurity said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Cloud security , Credential Theft , cybersecurity , DevOps , encryption , GitHub , Malware , NPM , SAP , supply chain attack Trending News 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation The Hidden Security Risks of Shadow AI in Enterprises Your MTTD Looks Great. Your Post-Alert Gap Doesn't Popular Resources Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat How to Identify Risky Browser Extensions in Your Organization