SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

A sophisticated supply chain attack has compromised four SAP-related npm packages, injecting credential-stealing malware that targets developer environments and cloud secrets. The campaign, which researchers have dubbed "Mini Shai-Hulud," affected the packages mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2. The malicious versions were published on April 29, 2026, between 09:55 UTC and 12:14 UTC, according to reports from Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz.

The compromised packages introduced a new preinstall hook that runs a file named "setup.mjs," which acts as a loader for the Bun JavaScript runtime. The Bun binary then executes a credential stealer and propagation framework called "execution.js." Socket noted that the implementation follows HTTP redirects are followed without validating the destination, and on Windows, PowerShell is used with -ExecutionPolicy Bypass, increasing the risk for affected developer and CI/CD environments.

The 11.6 MB payload is designed to harvest local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. Stolen data is encrypted with AES-256-GCM and the key is encapsulated using RSA-4096 with a public key embedded in the payload, making it decipherable only to the attacker. The exfiltrated data is then uploaded to public GitHub repositories created on the victim's own account with the description "A Mini Shai-Hulud has Appeared." As of writing, there are more than 1,100 such repositories.

A notable feature of this attack is its targeting of AI coding agent configurations for persistence and propagation. The payload commits itself into every accessible GitHub repository by injecting a ".claude/settings.json" file that abuses Claude Code's SessionStart hook and a ".vscode/tasks.json" file with "runOn": "folderOpen" setting. This means that any attempt to open the infected repository in Microsoft Visual Studio Code or Claude Code causes the malware to execute. StepSecurity described this as "one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector."

Researchers have linked the attack to the TeamPCP threat actor, noting that the check for Russian locale (the malware exits on Russian-locale systems) was also detected in recent Checkmarx and Bitwarden compromises. Wiz pointed out that the attack uses a TeamPCP-linked shared RSA public key used to encrypt exfiltrated secrets. The SAP operation also adds the ability to steal credentials from multiple browsers (Chrome, Safari, Edge, Brave, Chromium) and exfiltrate any passwords found there, a feature not present in previous operations.

Analysis into the root cause revealed that the attackers compromised RoshniNaveenaS's account for the three "@cap-js" packages, then pushed a modified workflow to a non-main branch and used the extracted npm OIDC token to publish the malicious packages without provenance. For mbt, it is suspected that the "cloudmtabot" static npm token was compromised through an as-yet-undetermined channel. SafeDep noted that npm's OIDC trusted publisher configuration for @cap-js/sqlite trusted any workflow in cap-js/cds-dbs, not just the canonical release-please.yml on main, allowing a branch push to exchange an OIDC token on behalf of the package.

In response, maintainers have released new safe versions that supersede the compromised releases: sqlite v2.4.0 and v2.3.0, postgres v2.3.0 and v2.2.2, hana v2.8.0 and v2.7.2, db-service v2.10.1, and mbt v1.2.49. OX Security researchers Moshe Siman Tov Bustan and Nir Zadok noted that "this campaign illustrates once again how GitHub is becoming the C2 infrastructure of choice for data exfiltration," adding that blocking github.com is not a realistic option for most development teams.