A sophisticated supply chain attack has targeted the SAP developer ecosystem, hijacking official npm packages to deploy a self-propagating worm. Discovered on April 29, 2026, the campaign—dubbed “Mini Shai-Hulud” by researchers—poisoned critical libraries used in SAP’s Cloud Application Programming (CAP) model and Multi-Target Application (MTA) build tools. +1
The attack is particularly dangerous because it doesn’t wait for a developer to run code. Instead, it triggers automatically during npm install via a hidden preinstall script, targeting credentials for cloud platforms, GitHub, and even local AI coding tools like Claude Code and Cursor.
The Target: Compromised SAP Packages
The attackers managed to publish malicious versions of four widely used SAP-affiliated packages. These versions appear to have been published via compromised maintainer accounts, as they bypassed standard CI/CD provenance checks. +1
| Package | Malicious Version | Last Known Clean Version |
|---|---|---|
| mbt | 1.2.48 | 1.2.47 |
| @cap-js/sqlite | 2.2.2 | 2.2.1 |
| @cap-js/postgres | 2.2.2 | 2.2.1 |
| @cap-js/db-service | 2.10.1 | 2.10.0 |
Export to Sheets
How the Worm Operates: The “Bun” Bootstrap
Unlike typical Node.js malware, Mini Shai-Hulud avoids detection by downloading its own runtime.
- The Trigger: A
setup.mjsscript runs during thepreinstallphase. - The Runtime: It silently downloads Bun v1.3.13, a high-performance JavaScript runtime, to execute the main payload.
- The Payload: An 11.7 MB obfuscated file named
execution.jsis launched. By running inside Bun rather than Node, the malware may bypass some security tools designed to monitor standard Node.js process behavior.
Extensive Credential Harvesting
The worm scans the infected machine for a massive range of secrets, moving far beyond simple environment files:
- AI Coding Tools: It specifically hunts for configurations and session hooks in
.claude/settings.jsonand.vscode/tasks.json. - Cloud & Infrastructure: It queries AWS, Azure, and Google Cloud metadata services, sweeps Kubernetes service account tokens, and reads local SSH private keys.
- CI/CD Memory: On Linux hosts, it attempts to read
/proc/{pid}/memto scrape GitHub Actions secrets directly from memory. - Propagation: If it finds a GitHub token with “workflow” permissions, it attempts to inject itself into the victim’s own repositories, creating a self-sustaining infection chain.
Indicators of Compromise (IoCs)
If you believe you have interacted with these packages, look for the following “red flags” on your system:
- GitHub Repositories: Any repository on your account with the description “A Mini Shai-Hulud has Appeared.”
- Malicious Files: A file named
execution.js(approx. 11MB) orsetup.mjslocated in.claude/or other hidden project directories. - Network Traffic: Outbound connections to GitHub “dead-drop” repositories containing encrypted JSON blobs.
- Suspicious Commits: Commits titled
chore: update dependenciesor authored byclaude <claude@users.noreply.github.com>.
Remediation: Resetting the Trust
If a compromised version was installed, treat the host and all stored secrets as fully compromised.
- Uninstall & Clean: Remove the affected packages and reinstall the clean versions using the
--ignore-scriptsflag:npm install @cap-js/sqlite@2.2.1 --ignore-scripts - Rotate ALL Secrets: This includes npm publish tokens, GitHub PATs, AWS/Azure/GCP keys, and SSH keys.
- Audit GitHub Workflows: Check for a newly created
.github/workflows/format-check.ymlfile, which the worm often uses to exfiltrate data. - SAP Note: Consult SAP Note 3747787 for official vendor-specific guidance.
