SAP npm Supply Chain Attack: Malware Targets CAP Packages

The Mini Shai-Hulud campaign compromises SAP npm packages, stealing credentials and establishing persistence via AI agents. Learn how to stay protected.

How dangerous can running a simple npm install be? On April 29, 2026, security researchers discovered a sophisticated supply chain attack campaign that compromised npm packages linked to the SAP ecosystem. The attack, named Mini Shai-Hulud, introduced malware designed to steal credentials and establish persistence through an innovative strategy: exploiting the Bun runtime to bypass traditional controls and targeting AI coding agent configurations.

The modus operandi: Bun runtime and preinstall scripts

The compromised versions, published on npm between 09:55 UTC and 12:14 UTC on April 29, 2026, involve widely used packages in the SAP ecosystem: @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt. According to Socket researchers, the affected versions introduced new installation behavior that was not part of the packages' intended functionality.

The attack vector exploits a preinstall script that automatically downloads the Bun runtime to execute a payload named execution.js. The choice of Bun represents a significant evolution in evasion techniques: security tools traditionally configured to monitor the Node.js environment may not detect suspicious activity generated by an alternative runtime. The payload, approximately 11 MB in size, is particularly complex and modularized.

Credential theft and large-scale persistence

The malware is designed to exfiltrate a wide range of sensitive credentials: GitHub tokens, npm credentials, cloud secrets (AWS, Azure, GCP, Kubernetes), and data stored in browsers. Once collected, the data is encrypted using AES-256-GCM and RSA-4096 algorithms before being exfiltrated to public GitHub repositories automatically created on the victim's account. Each created repository contains the description "A Mini Shai-Hulud has Appeared" as an attack signature.

At the time of the report, more than 1,100 repositories containing the malicious description were identified, indicating a particularly wide attack scope and a significant number of compromised developers. The scale of the operation suggests an automated and well-orchestrated campaign.

Targeting AI agents: a novelty in the threat landscape

A distinctive element of this campaign is the targeting of AI coding agent configurations. As highlighted by StepSecurity, this appears to be one of the first documented supply chain attacks to specifically target the configurations of tools like Claude Code and VS Code as a vector for persistence and propagation. The increasingly deep integration of AI tools into development workflows creates new attack points that malware authors are beginning to explore.

Compromising AI agent configurations allows not only for immediate credential theft but also the ability to maintain persistent access to development environments. Each new interaction with the compromised AI agent can potentially propagate the malware to new projects and repositories, significantly amplifying the impact of the attack.

Geographic kill switch and attribution

The malware includes a kill switch mechanism that immediately terminates execution if it detects that the system is configured with Russian localization (ru). This type of geographic filtering is common in operations conducted by groups wishing to avoid hitting certain regions for either political or operational reasons.

Attribution of the attack has been assigned with high probability to the TeamPCP group. The assessment is based on significant similarities with previous operations such as Trivy and Checkmarx KICS, as well as the use of the same RSA public key found in past campaigns. The technical signature and behavioral patterns suggest a motivated actor with advanced development capabilities.

Time discrepancies and forensic analysis

Metadata analysis revealed an interesting time discrepancy: while the compromised versions were published on npm between 09:55 and 12:14 UTC on April 29, 2026, the files injected inside the tarballs show timestamps between 15:25 and 17:43 UTC of the same day. This inconsistency suggests the possibility of an altered system clock or asynchronous build procedures used by the attackers to obscure the operation's traces.

The time difference of several hours between the npm publication and the internal timestamps could also indicate an attack preparation process started before the actual publication, with subsequent adjustments to the payload before the final injection into the packages.

Implications for developers and organizations

The compromise of packages belonging to the SAP ecosystem, a critically important enterprise environment, amplifies the potential impact of the attack. Organizations using these packages to develop business-critical applications may have exposed cloud secrets, production credentials, and sensitive data. Persistence through AI agents adds a layer of complexity to the removal process: it is not enough to delete the compromised packages; it is also necessary to verify and clean the configurations of development tools.

The specific targeting of GitHub tokens and cloud credentials suggests a strategic objective: obtaining persistent access to cloud infrastructure and code repositories. This type of access can be exploited for subsequent attacks, intellectual property theft, or as a springboard to compromise production systems.

Frequently Asked Questions

Which npm packages were compromised in the Mini Shai-Hulud attack?: The compromised versions involve @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, published on npm on April 29, 2026, between 09:55 UTC and 12:14 UTC.
How does the persistence mechanism via AI agents work?: The malware targets the configurations of AI coding agents like Claude Code and VS Code, exploiting their integration into development workflows to maintain persistent access and propagate to new projects.
What data is stolen by the malware?: The payload exfiltrates GitHub tokens, npm credentials, cloud secrets (AWS, Azure, GCP, Kubernetes), and browser data, encrypting them with AES-256-GCM and RSA-4096 before sending them to public GitHub repositories.
To whom is the Mini Shai-Hulud supply chain attack attributed?: Attribution has been assigned with high probability to the TeamPCP group, due to similarities with previous operations like Trivy and Checkmarx KICS and the use of the same RSA public key.

This article is a summary based exclusively on the listed sources.