NPM Supply Chain Attack: Malware Hits Claude Code and VS Code
A new SAP npm package supply chain attack targets AI coding agent configurations. Discover how mini Shai-Hulud steals credentials and propagates.
On April 29, 2026, between 09:55 UTC and 12:14 UTC, a new malware campaign compromised npm packages in the SAP ecosystem, introducing one of the most innovative persistence techniques ever observed in supply chain attacks. The campaign, dubbed "mini Shai-Hulud," represents one of the first documented cases where AI coding agent configurations are exploited as a propagation and persistence vector.
The mini Shai-Hulud Attack Mechanism
Researchers from StepSecurity identified compromised npm packages associated with the development of SAP JavaScript and cloud applications. The malicious versions introduce a preinstall hook in the package.json file that automatically executes setup.mjs, a loader designed for the Bun JavaScript runtime. This mechanism allows malicious code to run during the package installation, before the developer can intervene.
According to Socket, The affected versions introduced new installation-time behavior that was not previously part of these packages' expected functionality
. Furthermore, the malware implementation follows HTTP redirects without validating the destination and uses PowerShell with the -ExecutionPolicy Bypass flag on Windows systems, significantly increasing the risk for affected development and CI/CD environments.
Targeting AI Coding Agents: A Novelty in Supply Chain Attacks
The most significant aspect of this campaign lies in the malware's ability to specifically target the configurations of AI-assisted development tools. StepSecurity defined the attack as one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector
.
The malware injects two specific configuration files: the .claude/settings.json file, which exploits the SessionStart hook of Claude Code, and the .vscode/tasks.json file with the runOn: folderOpen setting. These mechanisms guarantee malware persistence in the development environment, automatically reactivating every time the developer opens a project or starts a new session with the AI coding agent.
Exfiltration and Encryption of Stolen Data
The 11.6 MB malware payload has self-propagation capabilities through development and release workflows. Once active, the malware steals local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. All exfiltrated data is encrypted using the AES-256-GCM algorithm, with the encryption key encapsulated via RSA-4096.
The RSA keys used to encrypt the secrets are the same as those used in the previous week's attack on the @bitwarden/cli package, suggesting an operational link between the two campaigns. Stolen data is exfiltrated to public GitHub repositories created on the victim's account, marked by the description A Mini Shai-Hulud has Appeared
.
Impact and Distribution
Sources report slightly different numbers regarding the spread of the attack. According to StepSecurity, over 1,100 public repositories were created with stolen tokens, while GitGuardian identified 971 public repositories. GitGuardian specifies that the count grew from 847 to 1,006 during the writing of its report, indicating that the different figures reflect different points in time of the observation.
GitGuardian analysts identified 7 commits containing exposed GitHub tokens (prefix ghp_), all of which were still valid as of 16:46 EST on April 29. These same 7 compromised tokens are responsible for the creation of 936 repositories, representing 96% of the total identified across the top 6 GitHub accounts used for exfiltration.
Connection to Previous Operations
Wiz noted that the malicious packages exhibit characteristics consistent with previous TeamPCP operations, indicating likely action by the same threat actor. The malware also implements a fallback mechanism: in the absence of available tokens, it scans commits for the string OhNoWhatsGoingOnWithGitHub:
to recover hidden credentials.
StepSecurity advises developers to check for suspicious .claude/settings.json and .vscode/tasks.json files in their projects, monitor their GitHub repository activity to identify unauthorized creations, and immediately revoke any exposed tokens.
Frequently Asked Questions
- What is mini Shai-Hulud?
- Mini Shai-Hulud is a malware campaign targeting npm packages in the SAP ecosystem, stealing developer credentials and exploiting AI coding agent configurations as a persistence vector.
- Which AI coding agent configurations are affected?
- The malware targets Claude Code configurations via the .claude/settings.json file with the SessionStart hook, and VS Code via .vscode/tasks.json with runOn: folderOpen.
- How can I protect myself from the attack?
- Check for suspicious configuration files in your projects, monitor GitHub repository activity for unauthorized creations, revoke exposed tokens, and use tools like npm audit to identify compromised packages.
This article is a summary based exclusively on the listed sources.
Sources
- https://www.cybersecurityup.it/component/content/article/2-news-cyber-security/1950-super-worm-su-npm-oltre-500-pacchetti-compromessi,-rischio-credenziali-per-sviluppatori-e-aziende
- https://www.acn.gov.it/portale/en/w/supply-chain-attack-rilevata-compromissione-di-pacchetti-npm
- https://www.securityinfo.it/2025/09/16/un-attacco-supply-chain-ha-compromesso-oltre-40-pacchetti-npm/
- https://insicurezzadigitale.com/crowdstrike-colpita-da-attacco-supply-chain-pacchetti-npm-compromessi-nel-framework-shai-halud/
- https://www.acn.gov.it/portale/en/w/supply-chain-attack-proseguono-le-campagne-di-compromissione-pacchetti-npm