Several cybersecurity firms including **Aikido Security**, **Onapsis**, **OX Security**, **SafeDep**, **Socket**, **StepSecurity**, and **Wiz** (owned by **Google**) have reported on a new supply chain attack campaign targeting **SAP**-related npm Packages with credential-stealing malware. ### Affected Packages The 'Mini Shai-Hulud' campaign has compromised the following packages associated with **SAP's** JavaScript and cloud application development ecosystem: * [email protected] * @cap-js/[email protected] * @cap-js/[email protected] * @cap-js/[email protected] **Socket** stated, "The affected versions introduced new installation-time behavior that was not previously part of these packages' expected functionality. The compromised releases added a preinstall script that acts as a runtime bootstrapper, downloading a platform-specific Bun ZIP from GitHub Releases, extracting it, and immediately executing the extracted Bun binary." The implementation also follows HTTP redirects without validating the destination and uses **PowerShell** with `-ExecutionPolicy Bypass` on **Windows**, increasing the risk for affected developer and CI/CD environments. ### Attribution and Tactics **Wiz** noted that the malicious packages share features with previous **TeamPCP** operations, suggesting the same threat actor is behind the campaign. The suspicious versions were published on April 29, 2026, between 09:55 UTC and 12:14 UTC. The poisoned packages introduce a new `package.json` preinstall hook that executes `setup.mjs`, acting as a loader for the Bun JavaScript runtime to execute the credential stealer and propagation framework (`execution.js`). According to **Aikido**, the malware harvests local developer credentials, **GitHub** and npm tokens, **GitHub** Actions secrets, and cloud secrets from **AWS**, **Azure**, **GCP**, and **Kubernetes**. The stolen data is encrypted and exfiltrated to public **GitHub** repositories created on the victim's account, labeled "A Mini Shai-Hulud has Appeared." Over 1,100 such repositories have been identified.  The 11.6 MB payload self-propagates through developer and release workflows, using **GitHub** and npm tokens to inject a malicious **GitHub** Actions workflow into victim repositories, stealing repository secrets and publishing poisoned npm package versions. ### Key Differences from Previous Shai-Hulud Waves * All exfiltrated data is encrypted with AES-256-GCM, encapsulating the key using RSA-4096 with a public key embedded in the payload. * It exits on Russian-locale systems. * The payload commits itself into every accessible **GitHub** repository by injecting a `.claude/settings.json` file that abuses **Claude Code's** SessionStart hook and a `.vscode/tasks.json` file with `"runOn": "folderOpen"` setting, ensuring execution upon opening in **Microsoft Visual Studio Code (VS Code)** or **Claude Code**. **StepSecurity** noted, "This is one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector." **Wiz** also pointed out the check for Russian locale, previously seen in the **Checkmarx** and **Bitwarden** compromises, adding the attack uses a **TeamPCP**-linked shared RSA public key to encrypt exfiltrated secrets. **Wiz** researchers highlighted, "The **SAP** operation adds the ability to steal credentials from multiple browsers (**Chrome**, **Safari**, **Edge**, **Brave**, **Chromium**) and exfiltrate any passwords found there. This feature was not present in any of the previous operations. GitHub-based exfiltration to Dune-themed repos was the fallback C2 method for the **Bitwarden** CLI operation but is now the primary option." ### Root Cause Analysis Analysis reveals that the attackers compromised **RoshniNaveenaS's** account for the three `@cap-js` packages, pushing a modified workflow to a non-main branch and using the extracted npm OIDC token to publish malicious packages without provenance. For mbt, compromise of the `cloudmtabot` static npm token is suspected. **SafeDep** stated, "The cds-dbs team migrated to npm OIDC trusted publishing in November 2025. Under this setup, GitHub Actions can request a short-lived npm token without storing any long-lived secrets in the repository. The attacker reproduced this exchange manually in a CI step and printed the resulting token." They added, "The critical configuration gap: npm’s OIDC trusted publisher configuration for @cap-js/sqlite trusted any workflow in cap-js/cds-dbs, not just the canonical release-please.yml on main. A branch push could exchange an OIDC token on behalf of the package if the workflow had id-token: write permission and the environment: npm reference." ### Remediation The maintainers of the packages have released new safe versions that supersede the compromised releases: * sqlite: [v2.4.0](https://github.com/cap-js/cds-dbs/releases/tag/sqlite-v2.4.0), [v2.3.0](https://github.com/cap-js/cds-dbs/releases/tag/sqlite-v2.3.0) * postgres: [v2.3.0](https://github.com/cap-js/cds-dbs/releases/tag/postgres-v2.3.0), [v2.2.2](https://github.com/cap-js/cds-dbs/releases/tag/postgres-v2.2.2) * hana: [v2.8.0](https://github.com/cap-js/cds-dbs/releases/tag/hana-v2.8.0), [v2.7.2](https://github.com/cap-js/cds-dbs/releases/tag/hana-v2.7.2) * db-service: [v2.10.1](https://github.com/cap-js/cds-dbs/releases/tag/db-service-v2.10.1) * mbt: [v1.2.49](https://github.com/SAP/cloud-mta-build-tool/releases/tag/v1.2.49) **OX Security** researchers Moshe Siman Tov Bustan and Nir Zadok concluded, "This campaign illustrates once again how GitHub is becoming the C2 infrastructure of choice for data exfiltration. Blocking github.com is not a realistic option for most development teams, and tracing exfiltration back to a specific threat actor domain becomes nearly impossible when GitHub is the delivery mechanism."