By rssfeeds-admin The campaign, which the group internally refers to as “Mini Shai Hulud,” comprises packages by embedding malicious preinstall scripts that silently execute during routine dependency installation.
Researchers at Wiz identified malicious versions of legitimate SAP Cloud Application Programming (CAP) packages, including @cap-js/sqlite (v2.2.2), @cap-js/postgres (v2.2.2), @cap-js/db-service (v2.10.1), and mbt (v1.2.48) were modified to include a preinstall hook.
Once setup.mjs is triggered, this dropper downloads the Bun JavaScript runtime and executes an obfuscated second-stage payload (execution.js), achieving attacker-controlled code execution before package installation even completes.
Multi-Stage Payload and Credential Theft
It targets both developer workstations and CI/CD pipelines, harvesting GitHub tokens, npm credentials, AWS/Azure/GCP cloud secrets, Kubernetes tokens, and GitHub Actions secrets, including secrets extracted directly from runner memory.
All stolen data is encrypted and exfiltrated to attacker-controlled GitHub repositories using the GraphQL API, with repository names following a consistent word1-word2-number naming scheme and repo descriptions labeled “Checkmarx Configuration Storage.”
This campaign introduces several technical evolutions compared to previous TeamPCP operations.
Most significantly, GitHub-based exfiltration is now the primary mechanism rather than a fallback, and the operation shifts from the REST API to the GraphQL API for posting encrypted payloads.
The malware also introduces a fallback for GitHub repository poisoning. If no GitHub Personal Access Token (PAT) or OAuth token is detected and GITHUB_REPOSITORY is set, the malware attempts to infect the victim’s repository by planting malicious files targeting Claude Code and VS Code users.
Additionally, this is the first TeamPCP operation to include browser credential theft, targeting Chrome, Safari, Edge, Brave, and Chromium password stores, a capability absent in all prior campaigns.
During initialization, the malware inspects system locale settings and environment language variables.
If any value begins with ru, the payload immediately terminates without exfiltrating any data a regional guardrail consistent with previous TeamPCP operations targeting the Checkmarx Kics and Bitwarden ecosystems.
Wiz Researchers stated that the campaign to TeamPCP with high confidence, citing a shared RSA public key used to encrypt exfiltrated secrets across multiple operations, meaning the same private key decrypts all stolen payloads.
Additional overlaps include identical encoding routines, the same npm install hook execution method used in the Bitwarden CLI compromise, and consistent region-based exit logic.
While the campaign references prior Shai-Hulud operations from late 2025, researchers stop short of definitively linking them. Key attribution indicators include:
-
__decodeScrambledCipher — Same proprietary encoding routine reused across Bitwarden and SAP payloads. - Russian Locale Exit — Payload calls
process.exit(0)if the system locale starts withru. - Identical
setup.mjsDropper — SHA256:4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34across all four packages. - Consistent C2 Pattern —
npm preinstallhook + GitHub dead-drop + IDE config poisoning, repeated across all TeamPCP campaigns.
Affected Packages
| Package | Malicious Version |
|---|---|
@cap-js/sqlite | v2.2.2 |
@cap-js/postgres | v2.2.2 |
@cap-js/db-service | v2.10.1 |
mbt | v1.2.48 |
Developers using these package versions should immediately rotate all exposed credentials, audit CI/CD pipeline secrets, and scan environments for indicators of compromise.
Organizations should enforce dependency integrity checks and restrict outbound GitHub API access from build environments.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post SAP npm Packages Compromised to Steal Developers, CI/CD Secrets appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.