Skip to main content

Inside the SAP Mini Shai-Hulud Attack: How Hackers Poisoned Enterprise npm Packages and Stole Developer Credentials

On April 29, 2026, threat group TeamPCP poisoned four core SAP npm packages used by 572,000 developers weekly, injecting credential-stealing malware that harvested GitHub tokens, cloud secrets, and CI/CD pipeline credentials. Here is what happened, how it worked, and what enterprise security teams need to do now.

By TozenNews Editorial Team4 min read

Inside the SAP Mini Shai-Hulud Attack: How Hackers Poisoned Enterprise npm Packages and Stole Developer Credentials

On April 29, 2026, for roughly two to four hours, anyone running npm install against four widely used SAP development packages pulled a credential-stealing payload directly into their workstation or CI/CD pipeline. The campaign — named "Mini Shai-Hulud" by its own operators — marks the first time the Shai-Hulud worm family reached directly into the SAP supply chain. The implications for enterprise security are still unfolding.

What was compromised and how

The four affected packages — @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt (the Cloud MTA Build Tool) — are not obscure dependencies. Together they receive around 572,000 weekly downloads. The @cap-js packages are core building blocks of SAP's Cloud Application Programming Model (CAP), the standard framework for custom development on SAP Business Technology Platform. The mbt tool is used in CI/CD pipelines that build and deploy Multi-Target Applications to SAP BTP and on-premises systems.

The attacker, attributed with high confidence to the TeamPCP threat group by Wiz, Socket, and Palo Alto Unit 42, exploited a misconfigured OIDC trusted-publisher rule on the SAP cap-js/cds-dbs repository. The rule trusted the entire repository rather than a specific workflow on a protected branch. That configuration error let the attacker extract short-lived npm publish tokens and push malicious package versions directly to the npm registry.

What the malware did

Each poisoned package added two files: setup.mjs and execution.js. A preinstall hook in package.json ran setup.mjs automatically during npm install. That script downloaded the Bun JavaScript runtime and executed execution.js — an 11.6 MB obfuscated credential stealer. The malware harvested local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, GCP, and Kubernetes.

Stolen data was encrypted with AES-256-GCM, with the key wrapped using RSA-4096 and recoverable only by the attacker. Exfiltration went to public GitHub repositories created on the victim's own account, each tagged with the description "A Mini Shai-Hulud has Appeared." Within hours, over 1,000 such repositories were visible via public GitHub search.

The payload also established persistence. It committed malicious GitHub Actions workflows into every repository the victim's tokens could access, and modified .vscode/tasks.json and .claude/settings.json files so that opening any infected repository in VS Code or a Claude Code session would re-execute the malware. StepSecurity called this "one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector."

Why SAP systems are a high-value target

SAP software runs in over 440,000 organizations globally. A successful compromise of SAP developer environments does not just expose code — it exposes the credentials that build and deploy applications managing financial transactions, HR records, supply chain data, and production systems. The CAP framework packages sit at the boundary between developer workstations and production SAP infrastructure. As SecurityBridge SAP security specialist Joris van de Vis has noted, the attack surface of SAP systems no longer stops at ABAP, RFC, and the kernel. CAP, BTP, MTA, and the npm packages that build them are now part of that surface.

What organizations should do now

SAP released Security Note 3747787 on April 30, 2026. Organizations using the affected packages should pin exact npm versions, audit installed dependencies, and rotate any GitHub tokens, npm tokens, and cloud credentials accessible on or after April 29. Check for the attacker's signature indicators: repositories with the description "A Mini Shai-Hulud has Appeared," commits containing the string "OhNoWhatsGoingOnWithGitHub," and unexpected changes to .vscode/tasks.json or .claude/settings.json in repositories the team owns.

The broader lesson extends past this specific incident. As supply chain attacks increasingly target enterprise developer tooling — and AI coding agents become standard in those environments — organizations need visibility into both what packages their pipelines install and how AI agent configurations can be abused as persistence vectors. Platforms focused on AI-era enterprise security governance, such as tozenLabs, are working on the problem of securing the build pipeline itself, not just production systems. The risk perimeter has moved upstream, into the tools developers use every day.

Mini Shai-Hulud was small in scope relative to earlier Shai-Hulud waves. The pattern it established is not.

Filed under:Technology