On April 29, 2026, security researchers at StepSecurity, Wiz, and Socket identified a highly sophisticated supply chain attack targeting the SAP developer toolchain. Dubbed “mini Shai-Hulud,” the campaign is a direct evolution of previous TeamPCP operations, now featuring a novel technical twist that allows it to slip past traditional Node.js security monitors. +1
By poisoning four core packages used in the SAP Cloud Application Programming (CAP) model, the attackers gained a “silent foothold” in enterprise CI/CD pipelines and developer workstations. The goal: total credential harvesting across GitHub, npm, and major cloud providers.
The Technical Twist: Evasion via the Bun Runtime
What makes “mini Shai-Hulud” distinct from its predecessors is its use of the Bun JavaScript runtime as an execution vehicle. Most security tools are tuned to monitor node.exe behavior; by using a different runtime, the malware operates in a “blind spot.”
The Attack Flow
- The Preinstall Hook: The compromised packages contain a modified
package.jsonwith a"preinstall": "node setup.mjs"script. - The Bootstrapper: Upon
npm install,setup.mjsexecutes. Instead of running the malware directly, it downloads a platform-specific Bun ZIP from GitHub Releases. - The Execution: It extracts the Bun binary and uses it to launch a heavily obfuscated 11.6 MB payload named
execution.js.
Credential Theft and “AI Agent” Hijacking
Once active, the execution.js payload acts as a systematic vacuum for sensitive data. It targets:
- Cloud Secrets: Environment variables for AWS, Azure, and GCP, as well as Kubernetes service account tokens.
- CI/CD Tokens: GitHub Actions secrets extracted directly from runner memory.
- AI Coding Tools: In a first-of-its-kind move, the malware targets Claude Code and VS Code. It injects malicious hooks into
.claude/settings.jsonand.vscode/tasks.jsonto ensure the malware re-executes whenever a developer opens a project.
The Exfiltration Signature: The stolen data is encrypted and posted to public GitHub repositories created on the victim’s own account. These repositories are easily identifiable by their hardcoded description: “A Mini Shai-Hulud has Appeared.”
Attribution: The TeamPCP Fingerprint
Researchers have attributed this campaign to TeamPCP (the group behind the March 2026 Trivy and Axios compromises) with high confidence. The malware contains a Russian-language geofencing check: if the system locale is set to ‘ru’, the payload prints “Exiting as russian language detected!” and terminates. This “home region exemption” is a classic hallmark of Eastern European cybercrime groups looking to avoid domestic law enforcement attention. +1
Affected Packages and Indicators of Compromise (IOCs)
SAP superseded these versions with clean releases within hours of discovery. If your package-lock.json contains the following versions, you must treat your environment as compromised.
| Package Name | Compromised Version | Use Case |
|---|---|---|
| mbt | 1.2.48 | SAP Cloud MTA Build Tool |
| @cap-js/sqlite | 2.2.2 | SAP CAP SQLite Adapter |
| @cap-js/postgres | 2.2.2 | SAP CAP Postgres Adapter |
| @cap-js/db-service | 2.10.1 | SAP CAP Database Service |
Export to Sheets
Key IOCs:
- File Hashes (setup.mjs):
4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 - Network Behavior: Unusual outbound requests to
github.com/oven-sh/bun(to download the runtime) during a standard npm install. - Filesystem: Presence of
.claude/settings.jsonor.vscode/tasks.jsonwith unauthorized “SessionStart” hooks.
Immediate Remediation Strategy
- Purge and Reinstall: Run
rm -rf node_modules && npm cache clean --forceand update to the latest “safe” versions of the affected packages. - Rotate ALL Secrets: Because the malware harvests cloud and npm tokens, assume every secret touched by a compromised CI/CD runner or developer machine is compromised. Rotate AWS keys, npm automation tokens, and GitHub PATs immediately.
- Audit GitHub Repos: Search your organization for any public repositories with the description “A Mini Shai-Hulud has Appeared.”
- Block the Runtime: Use endpoint security to block the execution of the Bun binary in directories where it is not explicitly expected.
Conclusion: The New Baseline for Supply Chain Risk
The “mini Shai-Hulud” campaign proves that supply chain attacks are moving toward agentic persistence—abusing the very AI tools developers use to be more productive. As TeamPCP continues to refine its “wormable” propagation, pinning your dependencies and auditing preinstall scripts is no longer optional; it is a requirement for survival.
