Attackers Weaponize SAP npm Packages to Steal GitHub, Cloud, and AI Coding Tool Secrets

What happened

A supply chain attack targeting the SAP developer ecosystem has poisoned four official SAP npm packages with a credential-stealing worm called Mini Shai-Hulud. The affected packages are mbt version 1.2.48, @cap-js/sqlite version 2.2.2, @cap-js/postgres version 2.2.2, and @cap-js/db-service version 2.10.1. These packages sit in the dependency trees of SAP Cloud Application Programming model applications used broadly across SAP Business Technology Platform.

The attack executes through a hidden preinstall script named setup.mjs that fires before npm install completes. The script downloads the Bun JavaScript runtime and executes an 11.7 MB obfuscated payload named execution.js, which runs five credential harvesters in parallel targeting npm tokens, GitHub credentials, cloud platform credentials across AWS, GCP, and Azure, Kubernetes service account files, and AI coding tool configurations. The AI tool targeting is notably specific, checking 136 hardcoded paths for Claude Code settings and VS Code task files alongside Cursor IDE state, shell history, environment files, and SSH private keys. In CI environments, the payload sweeps more than 25 platforms including Jenkins, Travis, and Azure Pipelines.

On Linux hosts, the payload reads /proc/{pid}/mem to extract GitHub Actions in-memory secrets. All collected data is encrypted with AES-256-GCM, wrapped with an attacker RSA-4096 public key, and uploaded to a GitHub dead-drop repository created from the victim’s own stolen account. Endor Labs identified Mini Shai-Hulud as a direct descendant of the original Shai-Hulud worm from April 2025, sharing the same Bun runtime bootstrap, cipher family, and PBKDF2 key, confirming the same threat actor is running a fresh, narrower campaign against SAP’s developer ecosystem.

Who is affected

SAP developers and CI/CD pipelines that installed any of the four compromised package versions are directly exposed. Given that these packages are dependencies in CAP-based applications across SAP BTP, the affected population extends beyond individual developers to enterprise environments running SAP cloud workloads. Any machine where a compromised version was installed should be treated as a full credential compromise across every secret present on that host.

Why CISOs should care

The Mini Shai-Hulud campaign demonstrates continued escalation in supply chain attack sophistication. The preinstall execution hook fires before installation completes, meaning the payload runs even if a developer cancels the install or reviews the package afterward. The detection window was approximately two hours, confirming that reactive takedowns cannot be relied upon as a primary defense. The specific targeting of AI coding tool configurations, including Claude Code and Cursor IDE, reflects threat actors adapting to the rapid adoption of AI-assisted development environments and the credentials those tools store.

3 practical actions

1. Immediately uninstall compromised package versions and reinstall clean versions using the –ignore-scripts flag: For each of the four affected packages, downgrade to the last clean version and use –ignore-scripts during reinstallation to prevent any preinstall hooks from executing. Search affected machines for execution.js files over 5 MB, .claude/settings.json files containing a SessionStart hook, and any format-check.yml workflow not authored by your team.
2. Revoke all secrets from any host where a compromised version was installed: Treat the event as a full credential compromise. Revoke npm publish tokens, GitHub personal access tokens, AWS IAM keys, Google Cloud service account credentials, Azure client secrets, SSH private keys, and all environment file contents present on affected machines, regardless of whether exfiltration has been confirmed.
3. Enforce –ignore-scripts in all CI/CD npm installs and scope OIDC trusted publishing to specific workflow files: The preinstall hook is the attack’s execution mechanism. Enforcing –ignore-scripts in CI environments blocks this class of attack at the pipeline level. Additionally, scope npm OIDC trusted publishing to a specific workflow file on a specific branch rather than the entire repository to limit the blast radius if publish tokens are compromised.