Back

Mini Shai-Hulud Targets SAP npm Packages with Credential Stealing Malware

Severity: High (Score: 69.0)

Sources: Blog.Gitguardian, Cybersecuritynews, www.aikido.dev, Aikido.Dev

Summary

Aikido researchers have identified a new malware campaign targeting SAP's npm packages, specifically through a compromised package that introduces a preinstall hook. This hook executes a setup.mjs file that downloads the Bun JavaScript runtime to run an obfuscated payload named execution.js, which is an 11.7 MB credential stealer. The malware collects sensitive information, including GitHub personal access tokens and cloud secrets from AWS, Azure, GCP, and Kubernetes. It exfiltrates the stolen data through public GitHub repositories, naming them with Dune-themed titles. The attack is notable for its ability to adapt to CI environments and its use of previously seen RSA keys from another attack. GitGuardian has reported multiple exposed tokens, which remain active. The malware's propagation mechanism involves modifying GitHub Actions workflows to spread further within the SAP ecosystem. Key Points: • Malware targets SAP npm packages, leveraging a preinstall hook for execution. • It steals sensitive credentials and exfiltrates data via public GitHub repositories. • The attack utilizes previously seen RSA keys from a recent @bitwarden/cli incident.

Key Entities

  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Bitwarden CLI Attack (campaign)
  • Mini Shai Hulud (campaign)
  • Shai-hulud (malware)
  • Mini Shai-Hulud (malware)
  • Bitwarden (tool)
  • GitHub Actions (tool)
  • Node.js (tool)
  • Npm (tool)
  • Bun (tool)
  • SAP (company)
  • AWS (company)
  • Azure (company)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1059.006 - Python (mitre_attack)
  • T1059.007 - JavaScript (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1195 - Supply Chain Compromise (mitre_attack)
  • GCP (platform)
  • GitHub (platform)
  • Kubernetes (platform)
  • SAP CAP (platform)
  • SAP Cloud MTA (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed