A sophisticated supply chain campaign dubbed “Mini Shai Hulud” has compromised four widely-used SAP Cloud Application Programming Model (CAP) npm packages, injecting malicious preinstall scripts that silently execute during dependency installation to steal developer credentials, cloud secrets, and CI/CD pipeline tokens across GitHub, AWS, Azure, and Google Cloud.
On April 29, 2026, between 09:55 UTC and 12:14 UTC, threat actors published malicious versions of four legitimate SAP ecosystem npm packages to the public npm registry.
The poisoned releases @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, @cap-js/db-service@2.10.1, and mbt@1.2.48 are core components of SAP’s JavaScript development toolchain, collectively used across thousands of enterprise CI/CD pipelines worldwide.
Security researchers at StepSecurity, Aikido Security, SafeDep, Socket, Wiz, Snyk, Onapsis, and Semgrep simultaneously raised alarms, confirming the campaign as a coordinated, multi-stage credential theft operation.
What distinguishes “Mini Shai Hulud” from prior npm supply chain attacks is its deliberate use of the Bun JavaScript runtime as an evasion layer. Each compromised package embeds a malicious preinstall hook in package.json that silently triggers the loader script setup.mjs the moment a developer or CI runner executes npm install.
Rather than invoking Node.js directly, a pattern well-covered by existing static analysis and security tooling setup.mjs downloads the Bun runtime from GitHub Releases at installation time, then uses it to execute execution.js, a heavily obfuscated, 11.6 MB second-stage credential-stealing payload.
The implementation bypasses standard Node. js-focused detection, uses PowerShell with -ExecutionPolicy Bypass on Windows environments, and follows HTTP redirects without destination validation, dramatically widening the attack surface.
Multi-Stage Credential Theft
Once triggered, execution.js operates as a full-featured credential stealer and self-propagation framework. The payload systematically harvests:
- GitHub and npm authentication tokens from developer workstations
- SSH keys and local developer credentials
- Cloud provider secrets AWS, Azure, and GCP environment variables
- Kubernetes configuration files, tokens, and service account credentials
- GitHub Actions secrets, including runtime secrets extracted directly from the CI runner memory via
/proc/<pid>/mapsand/proc/<pid>/meminspection
The memory-scanning technique on CI runners is particularly alarming, as it reads the runner process memory to extract secrets matching the pattern "key":{"value":"...","isSecret":true}, effectively bypassing all log masking applied by CI platforms.
This memory scanner is structurally identical to techniques documented in previous TeamPCP operations against Bitwarden and Checkmarx.
All stolen data is encrypted using AES-256-GCM and key-encapsulated via RSA-4096 with an attacker-embedded public key before exfiltration, ensuring only the attacker can decrypt the harvested credentials.
Data is then uploaded to public GitHub repositories created under the victim’s own account, each bearing the description “A Mini Shai-Hulud has Appeared.” Over 1,100 such repositories have been identified since the attack began.
The campaign introduces two novel persistence and propagation vectors that have never been documented in prior npm supply chain attacks.
Using stolen npm tokens, the malware enumerates all packages under the compromised maintainer’s account, injects execution.js, and republishes them under innocuous commit messages like "chore: update dependencies" enabling exponential, fully automated spread without any additional attacker involvement.
More critically, the malware injects a .claude/settings.json file that abuses Claude Code’s SessionStart hook alongside a .vscode/tasks.json file with "runOn": "folderOpen" configured so that any developer opening an infected repository in VS Code or Anthropic’s Claude Code agent will silently re-execute the malware.
StepSecurity has identified this as “one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector”.
The payload also uses a GitHub commit dead-drop mechanism searching for commit messages matching OhNoWhatsGoingOnWithGitHub:<base64> and decoding them into active GitHub tokens for further lateral movement.
Consistent with prior TeamPCP campaigns, the malware inspects system date/time locale settings and environment language variables during initialization.
If the target system is configured for the Russian language (ru), the malware immediately self-terminates, ensuring zero exfiltration from Russian-speaking environments. This deliberate exclusion functions as a recurring operational fingerprint across all attributed TeamPCP campaigns.
Security researchers at SafeDep identified a critical configuration gap as the root enabler. The SAP CAP team had migrated to npm OIDC trusted publishing in November 2025, allowing GitHub Actions to request short-lived npm tokens without storing long-lived secrets.
However, the OIDC trusted publisher configuration for @cap-js/sqlite trusted any workflow in the cap-js/cds-dbs repository, not just the canonical release-please.yml on main.
This allowed attackers to push a modified workflow to a non-main branch, exchange an OIDC token on behalf of the package, and publish malicious releases without provenance. For the mbt package, the compromise is suspected to involve the cloudmtabot static npm token exposed via a misconfigured CircleCI job.
Researchers attribute this campaign to TeamPCP with medium-to-high confidence, citing multiple overlapping technical signatures with previously documented TeamPCP operations:
- Identical
__decodeScrambledcipher for pre-exfiltration secret encoding - Same Russian-locale early-exit logic
- Shared
setup.mjsdropper (SHA256:4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34) across all four packages - Prior targeting of Trivy, LiteLLM, Checkmarx KICS, and Bitwarden with structurally identical memory-scanning code
| Package | Malicious Version | Tarball SHA256 |
|---|---|---|
@cap-js/postgres | 2.2.2 | 1d9e4ece8e13c8eaf94cb858470d1bd8f81bb58f62583552303774fa1579edee |
@cap-js/db-service | 2.10.1 | 258257560fe2f1c2cc3924eae40718c829085b52ae3436b4e46d2565f6996271 |
@cap-js/sqlite | 2.2.2 | a1da198bb4e883d077a0e13351bf2c3acdea10497152292e873d79d4f7420211 |
mbt | 1.2.48 | 86282ebcd3bebf50f087f2c6b00c62caa667cdcb53558033d85acd39e3d88b41 |
The shared dropper setup.mjs carries SHA1 307d0fa7407d40e67d14e9d5a4c61ac5b4f20431 across all four packages. Package maintainers have released patched safe versions: @cap-js/sqlite v2.4.0/v2.3.0, @cap-js/postgres v2.3.0, @cap-js/db-service v2.10.1 (re-released clean), and mbt v1.2.49.
Mitigation:
- Pin dependencies to verified safe versions and audit your
package-lock.jsonimmediately - Rotate all secrets present in any environment where the affected package versions were installed, including GitHub tokens, npm tokens, AWS/Azure/GCP keys, and Kubernetes credentials
- Monitor npm install logs for unexpected Bun runtime downloads, a novel behavioral indicator unique to this campaign
- Restrict OIDC trusted publisher scope to canonical release workflows on protected branches only
- Audit GitHub Actions workflows for injected steps or modified CI configuration files introduced via non-main branch pushes
- Scan repositories for
.claude/settings.jsonor modified.vscode/tasks.jsonfiles that were not intentionally committed
FAQ
Q1. Which SAP npm packages were compromised in the Mini Shai Hulud attack?
The four affected packages are @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, @cap-js/db-service@2.10.1, and mbt@1.2.48, all part of the SAP Cloud Application Programming Model ecosystem.
Q2. Why did the attackers use the Bun runtime instead of Node.js?
Bun execution patterns fall largely outside the detection scope of Node.js-focused static analysis and security tooling, making the malicious payload significantly harder to detect at install time.
Q3. How does the Mini Shai Hulud malware self-propagate across the npm ecosystem?
Using stolen npm tokens, the malware enumerates all packages the victim maintains, injects the malicious execution.js payload, and republishes them automatically under deceptive commit messages, enabling exponential spread without further attacker interaction.
Q4. Who is behind the Mini Shai Hulud supply chain attack, and how can organizations protect themselves?
Researchers attribute the attack to the TeamPCP threat actor with medium-to-high confidence; organizations should immediately upgrade to safe package versions, rotate all exposed credentials, and restrict OIDC publisher configurations to main-branch release workflows only.
About the Author
