Skip to main content

Mini Shai-Hulud: The SAP Supply Chain Attack That Hit 1,800 Developer Repositories in Hours

On April 29, 2026, four official SAP npm packages were poisoned with credential-stealing malware. Within hours, over 1,800 developer repositories were compromised. Here is what happened, how it spread, and what every SAP development team needs to do now.

By TozenNews Editorial Team5 min read

Mini Shai-Hulud: The SAP Supply Chain Attack That Hit 1,800 Developer Repositories in Hours

On April 29, 2026, four official npm packages from the SAP development ecosystem were published in malicious versions. For roughly two to four hours, anyone running npm install against the wrong version pulled a credential-stealing payload straight into their developer workstation or CI/CD pipeline. By the time clean versions replaced the infected ones, more than 1,800 developer repositories had been compromised, with stolen credentials encrypted and uploaded to public GitHub accounts.

Researchers are calling it "Mini Shai-Hulud," a variant of the Shai-Hulud worm family that first emerged in late 2025. It is the first time this class of attack has reached directly into the SAP supply chain, and the implications extend well beyond the companies that use SAP's Cloud Application Programming Model.

What was compromised

The four poisoned packages were @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt. These are not obscure dependencies. The @cap-js packages are core building blocks of SAP's Cloud Application Programming Model (CAP), the standard framework for custom development on SAP Business Technology Platform (BTP). mbt is the Cloud MTA Build Tool, used in CI/CD pipelines that build and deploy Multi-Target Applications to both SAP BTP and on-premises systems. Together, these four packages receive roughly 572,000 weekly downloads.

The malicious versions introduced a preinstall hook that downloaded and executed a second-stage payload, encrypted with AES-256-GCM and wrapped with RSA-4096. The malware harvested GitHub tokens, npm credentials, GitHub Actions secrets, and cloud credentials from AWS, Azure, and Google Cloud. Stolen data was then uploaded to public GitHub repositories created on the victim's own account, each tagged with the hardcoded description "A Mini Shai-Hulud has Appeared."

How it spread beyond the initial attack

The attack did not stop at credential theft. Once the malware held tokens, it used them to republish infected versions of other packages the victim was authorized to maintain. This is a self-propagating worm by design. Within hours, more than a thousand repositories bearing the attacker's signature description were visible in a public GitHub search.

Security researchers at Wiz noted the malware scans actively for Kubernetes environments and HashiCorp Vault secrets, extracting AWS keys, GitHub and npm tokens, database connection strings, and API credentials for services including Stripe, Slack, and Twilio. The campaign expanded by May to hit over 160 packages across npm, PyPI, and PHP ecosystems. The Lightning Python package and intercom-client npm package were also compromised in the second wave, with a combined monthly download count of nearly 10 million. Attributions from both Wiz and Socket point to TeamPCP, the cybercrime group previously linked to compromises of Checkmarx, Bitwarden, Telnyx, and Aqua Security packages.

One detail that stood out to researchers: the payload checks for Russian locale on the host machine and exits without executing if it detects one, a behavior pattern also seen in recent Bitwarden and Checkmarx compromises. StepSecurity described the attack as "one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector," noting the malware injected malicious files into .claude/settings.json configurations.

Why enterprise SAP users face a different kind of risk

Traditional SAP security focuses on ABAP code, RFC connections, NetWeaver configurations, and segregation of duties. This attack bypassed all of that. It entered through the developer toolchain at the moment a developer or build agent ran npm install. SAP production systems were not directly compromised. But if stolen credentials included cloud service accounts, BTP deployment tokens, or CI/CD pipelines connected to production environments, the path from a developer laptop to live ERP data became very short.

For organizations managing hybrid SAP landscapes spanning on-premises and cloud, this attack surface expansion is not theoretical. Enterprise application security firms such as tozenlabs.com have been documenting this widening perimeter for months, particularly the exposure introduced when SAP custom development moves into BTP, CAP, and open-source build tooling. Securing SAP no longer stops at the production system. It now extends into how applications are built, tested, and shipped.

What to do right now

SAP released Security Note 3747787 on April 30, 2026, addressing the four compromised packages. Clean versions were published to supersede the infected releases. Organizations should upgrade to patched versions immediately and treat any developer machine or CI/CD runner that installed affected versions during the April 29 window as fully compromised.

Concrete steps: rotate npm tokens, GitHub credentials, GitHub Actions secrets, and cloud credentials across AWS, Azure, and GCP. Search GitHub for repositories with the description "A Mini Shai-Hulud has Appeared." Check commit histories for the author string "claude [email protected]" with the message "chore: update dependencies." Review CI/CD pipeline logs for unexpected workflow file additions. Pin exact npm package versions to block silent upgrades to future malicious releases.

The "mini" in Mini Shai-Hulud is misleading. The scope of the initial attack was contained. The pattern it establishes, attacking trusted packages in widely used enterprise development frameworks through automated publishing pipelines, is a template that will be reused. SAP development teams that treat this as someone else's problem are underestimating how much of their attack surface now lives outside the ABAP stack.

Filed under:Technology