Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related NPM packages with credential-stealing malware.
According to reports from Aikido Security, SafeDep, Socket, StepSecurity and Google-owned Wiz, the campaign – calling itself Mini Shai-Hulud – The following packages related to SAP’s JavaScript and cloud application development ecosystem are affected –
- mbt@1.2.48
- @cap-js/db-service@2.10.1
- @cap-js/postgres@2.2.2
- @cap-js/sqlite@2.2.2
“The affected versions introduced new installation-time behavior that was not previously part of the expected functionality of these packages,” Socket said. “The compromised release added a preinstalled script that acts as a runtime bootstrapper, downloading a platform-specific bun zip from the GitHub release, extracting it, and immediately executing the extracted bun binary.”
“The implementation also follows HTTP redirects without validating the destination and uses PowerShell with -ExecutionPolicy Bypass on Windows, increasing the risk to affected developers and CI/CD environments.”
Viz noted that the malicious packages match many of the characteristics present in previous TeamPCP operations, indicating that the same threat actor is likely behind the latest campaign.
The suspected versions were published between 09:55 UTC and 12:14 UTC on April 29, 2026. The poisoned packages introduce a new package.json preinstall hook that runs a file called “setup.mjs”, which acts as a loader for the Bun JavaScript runtime to execute the credential stealer and propagation framework (“execute.js”).
According to Aikido, the malware is designed to obtain local developer credentials, GitHub and npm tokens, GitHub action secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. The stolen data is encrypted and sent to a public GitHub repository created on the victim’s own account with the description “A mini Shai-Hulud has appeared.” At the time of writing, there are over 1,100 repositories with details.
Additionally, the 11.6 MB payload comes with the capabilities to self-propagate via developer and release workflows, specifically using GitHub and NPM tokens to inject a malicious GitHub Actions workflow into the victim’s repository to steal repository secrets and publish poisoned versions of NPM packages in the registry.
However, the latest event bears significant differences from prior Shai-Hulud waves –
- All exfiltrated data is encrypted with AES-256-GCM and the key is encapsulated using RSA-4096 with the public key embedded in the payload, effectively making it decipherable only by the attacker.
- It exists on Russian-locale systems.
- The payload commits itself by injecting a “.cloud/settings.json” file into every accessible GitHub repository that abuses Cloud Code’s sessionStart hook and a “.vscode/tasks.json” file with the “runOn”: “folderOpen” setting so that any attempt to open the infected repository in Microsoft Visual Studio Code (VS Code) or Cloud Code will cause the malware to execute.
“This is one of the first supply chain attacks to target an AI coding agent configuration as a persistence and propagation vector,” StepSecurity said.
Further analysis of the root cause revealed that the attackers compromised RoshniNaveenaS’s account for three “@cap-js” packages, then pushed a modified workflow to a non-main branch and published the malicious packages unsourced using the extracted npm OIDC token. As far as MBT is concerned, it is suspected to involve the compromise of the “Cloudmtabot” stable NPM token through an as-yet-undetermined channel.
“The CDS-DBS team will migrate to NPM OIDC trusted publishing in November 2025,” SafeDep said. “Under this setup, GitHub Actions could request a short-lived NPM token without storing any long-lived secrets in the repository. The attacker manually reproduced this exchange in the CI phase and printed the resulting token.”
“Important configuration difference: npm’s OIDC trusted publisher configuration for @cap-js/sqlite trusts any workflow in cap-js/cds-dbs, not just the canonical release-please.yml on master. If the workflow has id-token: write permission and environment: npm context, a branch push can exchange OIDC tokens on behalf of the package.”
In response to the incident, maintainers of the packages have released new secure versions that replace the compromised releases –
