Back

Mini Shai-Hulud Supply Chain Attack Targets SAP npm Packages

Severity: High (Score: 70.5)

Sources: Cybersecuritynews, Gbhackers, Infosecurity-Magazine, socket.dev, securitylabs.datadoghq.com

Summary

A new supply chain attack, dubbed 'Mini Shai-Hulud', has compromised multiple npm packages related to SAP's Cloud Application Programming Model (CAP). This attack involves injecting malicious preinstall scripts into legitimate packages, which execute during installation to steal sensitive credentials from developers and CI/CD environments. The malware collects data such as GitHub tokens, npm credentials, and cloud secrets, exfiltrating them via public GitHub repositories. Researchers have linked this campaign to the TeamPCP threat actor group, known for similar tactics in previous attacks. At least four SAP-related npm packages have been confirmed as compromised, with the malicious payload being designed to propagate further across the npm ecosystem. The attack is ongoing, and organizations are advised to review their environments for affected packages and rotate any exposed secrets. Key Points: • The 'Mini Shai-Hulud' attack targets SAP npm packages, injecting malicious scripts. • Stolen credentials include GitHub tokens and cloud secrets, exfiltrated via GitHub. • The campaign is linked to TeamPCP, known for similar supply chain attacks.

Key Entities

  • Apt37 (apt_group)
  • FAMOUS CHOLLIMA (apt_group)
  • Reaper (apt_group)
  • TeamPCP (apt_group)
  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Worm (attack_type)
  • Bitwarden CLI Attack (campaign)
  • Bitwarden CLI Compromise (campaign)
  • Mini Shai Hulud (campaign)
  • Mut-4831 (campaign)
  • PromptMink (campaign)
  • Mini Shai-Hulud (malware)
  • Shai-hulud (malware)
  • Shai-hulud 2.0 (malware)
  • Arkei (malware)
  • CanisterWorm (malware)
  • Bitwarden (tool)
  • GitHub Actions (tool)
  • Node.js (tool)
  • Npm (tool)
  • Bun (tool)
  • Namastex Labs (company)
  • SAP (company)
  • AWS (company)
  • Azure (company)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • namastex.ai (domain)
  • 00ca0c04d247ef09f2b2acc452029345 (md5)
  • dbb9b09957113463bbeb420c2c4108b5 (md5)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1036 - Masquerading (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • CircleCI (platform)
  • GCP (platform)
  • GitHub (platform)
  • Kubernetes (platform)
  • Linux (platform)
  • 7b0278216ac31ec18eca9eb8bc1c1261a1b26f6c (sha1)
  • ff7ed7a0fa1c43eed01809d076feedbaed464fc7 (sha1)
  • 14eb4ce01dd4307759887ff819359b70d7d9ff709ecde039a5abc1aac325b128 (sha256)
  • 927387d0cfac1118df4b383decc2ea6ba49c9d2f98b47098bcbcba1efc026e1f (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed