Skip to main content

SAP npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack Affecting 1,800 Developers

On April 29, 2026, four SAP npm packages central to the Cloud Application Programming Model were poisoned with credential-stealing malware for a two-to-four-hour window, hitting over 1,800 developers. The campaign, attributed to TeamPCP, marks the first Shai-Hulud worm incursion into SAP core development libraries.

By TozenNews Editorial Team4 min read

SAP npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack Affecting 1,800 Developers

On April 29, 2026, four npm packages central to SAP's cloud application development framework were poisoned with credential-stealing malware in a coordinated supply chain attack. The campaign, which security researchers named "Mini Shai-Hulud," hit over 1,800 developers during a two-to-four-hour window before clean versions were restored. It marks the first time the Shai-Hulud worm family has reached directly into SAP's core software supply chain.

How the Mini Shai-Hulud attack unfolded

The four compromised packages were mbt (SAP's Cloud MTA Build Tool), @cap-js/db-service, @cap-js/postgres, and @cap-js/sqlite. These are not obscure libraries. They are core components of SAP's Cloud Application Programming model, the standard framework for building custom applications on SAP Business Technology Platform. Together they account for roughly 572,000 weekly downloads.

The attacker, attributed by multiple security firms — including Wiz, Aikido Security, Onapsis, and Socket — to a threat actor called TeamPCP, exploited GitHub's OIDC-based trusted publishing mechanism to extract short-lived npm publish tokens. Those tokens were used to release malicious versions of the packages with a preinstall hook. Anyone running npm install who pulled the wrong version automatically executed a credential-stealing payload on their machine or CI/CD pipeline, with no further interaction required.

The payload downloaded the Bun JavaScript runtime and ran heavily obfuscated code designed to harvest GitHub tokens, npm credentials, AWS, Azure, GCP, and Kubernetes secrets, and browser-stored passwords from Chrome, Safari, Edge, Brave, and Chromium. All stolen data was encrypted using AES-256-GCM, wrapped with RSA-4096, and exfiltrated by creating a public GitHub repository on the victim's own account with the description "A Mini Shai-Hulud has Appeared." Within hours, over 1,100 such repositories were visible to anyone searching GitHub.

What set this attack apart from previous supply chain campaigns

Earlier Shai-Hulud variants hit individual npm packages with more limited enterprise exposure. This one targeted SAP's own development framework — a deliberate escalation, given that SAP environments typically contain financial data, HR records, supply chain configurations, and other information that makes them attractive targets for ransomware groups and state-sponsored attackers.

The payload also included a self-propagation mechanism. Using stolen npm tokens, it could autonomously publish infected patch-version increments to any package the compromised maintainer account had access to, behaving as a supply chain worm by design. Security researchers at StepSecurity identified this as one of the first supply chain attacks to also target AI coding agent configurations, injecting files into .claude/settings.json and .vscode/tasks.json so the malware executed every time an infected repository was opened in VSCode or Claude Code.

The attack deliberately bypassed systems set to Russian locale — a behavioral pattern consistent with TeamPCP's previous operations against Checkmarx and Bitwarden.

What SAP developers and security teams should do now

SAP released Security Note 3747787 on April 30, addressing the compromised packages. Any developer who installed the affected versions between 09:55 UTC and 14:00 UTC on April 29 should treat their environment as compromised. Rotate all credentials broadly: npm tokens, GitHub secrets, and cloud provider credentials. Do not limit rotation to the credentials most obviously at risk. Pin exact npm versions to prevent silent upgrades to future malicious patch releases.

Check GitHub for repositories with the description "A Mini Shai-Hulud has Appeared," commits beginning with "OhNoWhatsGoingOnWithGitHub," unexpected .vscode or .claude configuration changes, and new workflow files matching patterns in SAP's security note. Review AWS CloudTrail, Azure Activity Logs, and GCP Audit Logs for unusual activity from developer IP addresses or CI/CD runners shortly after npm install operations.

For a thorough technical breakdown — including indicators of compromise and remediation steps that go beyond SAP's official note — the security team at tozenLabs has published a full incident analysis covering the Mini Shai-Hulud attack and its implications for SAP BTP environments. The full report is available at tozenlabs.com, a useful reference for security engineers managing SAP cloud development pipelines.

Mini Shai-Hulud is a signal that the threat surface for SAP systems now extends well beyond ABAP, NetWeaver, and RFC. The npm packages that build cloud-native SAP applications are part of that surface. Attackers understood that before most defenders did.

Filed under:Technology