The campaign uses a malicious worm called “Mini Shai-Hulud,” which runs silently before any npm install completes and steals credentials from developer machines, cloud platforms, and AI coding tools.
The attack hit four official SAP-published packages: mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service.
When a developer or CI pipeline runs npm install on a compromised version, a hidden preinstall script called setup.mjs fires before installation finishes.
That script downloads the Bun JavaScript runtime and executes an 11.7 MB obfuscated payload named execution.js, which carries out credential theft without touching Node.js at all.
Endor Labs analysts identified the malware as a direct descendant of the original Shai-Hulud worm documented in April 2025.
The researchers noted that Mini Shai-Hulud shares the same Bun v1.3.13 runtime bootstrap, the same custom cipher family (ctf-scramble-v2), and the same PBKDF2 key (5012caa5847ae…) as the earlier campaign.
These shared markers confirm the same threat actor is running a fresh campaign against SAP’s CAP and MTA developer ecosystem with a narrower credential surface and a different propagation keyword.
The four packages sit in the dependency trees of CAP-based applications used broadly across SAP BTP. Any developer who installed a compromised version on a machine holding cloud credentials or GitHub tokens should treat every secret on that host as fully exposed.
| Package | Malicious Version | Last Clean Version |
|---|---|---|
| mbt | 1.2.48 | 1.2.47 |
| @cap-js/sqlite | 2.2.2 | 2.2.1 |
| @cap-js/postgres | 2.2.2 | 2.2.1 |
| @cap-js/db-service | 2.10.1 | 2.10.0 |
The payload runs five credential harvesters in parallel. The first targets npm tokens by scanning npmrc files in the user home, project root, and CI environment variables.
Collected tokens are validated against the npm registry API to confirm publish rights, since only publish-capable tokens allow worm replication.
The second and third collectors sweep GitHub and cloud credentials. On Linux hosts, the payload reads /proc/{pid}/mem to pull GitHub Actions in-memory secrets.
It also scans AWS credential files, queries GetCallerIdentity for IAM context, sweeps Google Cloud Secret Manager, reads Kubernetes service account JSON files, and collects Azure Key Vault credentials.
The fourth collector targets AI coding tools. The payload checks 136 hardcoded paths for Claude Code settings (project/.claude/settings.json) and VS Code task files (project/.vscode/tasks.json), along with Cursor IDE state, shell history, .env files, and SSH private keys.
In CI environments, it sweeps across more than 25 platforms including Jenkins, Travis, and Azure Pipelines.
| Path | Indicator |
|---|---|
| project/.claude/execution.js | 11.6 MB persistence copy of payload |
| project/.claude/settings.json | SessionStart hook present |
| project/.vscode/tasks.json | folderOpen trigger pointing to .claude/ |
| project/.github/workflows/format-check.yml | Injected credential exfiltration workflow |
All collected data is encrypted with AES-256-GCM and the key is wrapped with the attacker’s RSA-4096 public key before uploading to a GitHub dead-drop repository created from the victim’s own stolen account.
If any compromised version was installed, treat the event as a full credential compromise. Uninstall each affected package and reinstall the clean version using the –ignore-scripts flag.
Search all projects on the affected machine for execution.js files over 5 MB, .claude/settings.json files with a SessionStart hook, and any format-check.yml workflow your team did not author.
Revoke all secrets from the affected host, including npm publish tokens, GitHub PATs, AWS IAM keys, Google Cloud service account credentials, Azure client secrets, SSH private keys, and all .env file contents.
For long-term defense, scope npm OIDC trusted publishing to a specific workflow file on a specific branch, not the entire repository.
Enforce –ignore-scripts in CI installs and review lifecycle hooks during dependency audits. The detection window was roughly two hours, meaning reactive takedowns are not a reliable protection on their own.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Attackers Weaponize SAP npm Packages to Steal GitHub, Cloud, and AI Coding Tool Secrets appeared first on Cyber Security News.
Resident Evil Requiem producer Masato Kumazawa has said Capcom sees the drama surrounding the DLSS…
The Pitt star Isa Briones has called out "f**king disrespectful" fans for yelling references while…
Pinecone has released Pinecone Nexus, a knowledge engine designed to move reasoning from retrieval to…
Enterprise Times met with Michal Sedzielewski co-founder of Voucherify at the MACH X event in…
Companies embarking on their first investments in Artificial Intelligence-led projects aim to use the new…
Two American cybersecurity professionals were sentenced to four years each in federal prison on April…
This website uses cookies.