Mini Shai-Hulud Supply Chain Attack Targets SAP npm Packages

Mini Shai-Hulud Supply Chain Attack Targets SAP npm Packages

First seen 29 Apr 2026, 16:02 UTC BleepingcomputerCsoonlineScmagazineSonatypeAikido.Dev+239 85% similarity 70.5

Article Content

Browse articles
ThreatCluster

A new supply chain attack, dubbed 'Mini Shai-Hulud', has compromised multiple npm packages related to SAP's Cloud Application Programming Model (CAP). This attack involves injecting malicious preinstall scripts into legitimate packages, which execute during installation to steal sensitive credentials from developers and CI/CD environments. The malware collects data such as GitHub tokens, npm credentials, and cloud secrets, exfiltrating them via public GitHub repositories. Researchers have linked this campaign to the TeamPCP threat actor group, known for similar tactics in previous attacks. At least four SAP-related npm packages have been confirmed as compromised, with the malicious payload being designed to propagate further across the npm ecosystem. The attack is ongoing, and organizations are advised to review their environments for affected packages and rotate any exposed secrets.

Key Points: • The 'Mini Shai-Hulud' attack targets SAP npm packages, injecting malicious scripts. • Stolen credentials include GitHub tokens and cloud secrets, exfiltrated via GitHub. • The campaign is linked to TeamPCP, known for similar supply chain attacks.

ThreatCluster AI

Timeline

2026-04-21
Malicious versions of SAP-related packages first published.
2026-04-28
Detection of malicious npm packages in SAP ecosystem.
2026-04-29
Attack details published by multiple security researchers.

Community

Browse all →