20260429-1514-Wiz-74255 | Perceptive Security

< Back to index

Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware

Published:

29 April 2026 at 15:14:27

Alert date:

29 April 2026 at 16:02:38

Source:

wiz.io

Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration

A supply chain campaign dubbed 'Mini Shai Hulud' targets SAP npm packages with credential-stealing malware. The attack follows the Shai-Hulud-style campaign methodology, compromising npm packages to distribute malicious code. The campaign specifically focuses on SAP-related packages in the npm ecosystem. Organizations are advised to detect and mitigate these malicious npm packages. This represents an active supply chain threat targeting enterprise software dependencies.

Technical details

The 'mini Shai Hulud' campaign compromised SAP-related npm packages by injecting malicious preinstall scripts that execute during dependency installation. The attack uses a multi-stage payload: first, a preinstall script executes setup.mjs which downloads the Bun runtime and executes an obfuscated payload (execution.js). The second-stage payload is a credential stealer targeting developer environments and CI/CD pipelines, collecting GitHub tokens, npm credentials, cloud secrets (AWS, Azure, GCP), Kubernetes tokens, and GitHub Actions secrets. The malware includes propagation logic and uses public GitHub repositories for data exfiltration with encrypted payloads. It has region guardrails that terminate execution if Russian language settings are detected.

Mitigation steps:

Immediately identify exposure: Search environments, lockfiles, artifact stores, and CI logs for affected package versions and malicious files (setup.mjs, execution.js)
Rotate all credentials: If exposure is suspected, rotate GitHub tokens, npm tokens, cloud credentials, Kubernetes tokens, and CI/CD secrets
Audit GitHub activity: Look for suspicious commits, newly created repositories, or indicators such as the propagation keyword and unusual commit authors

Affected products:

@cap-js/sqlite v2.2.2
@cap-js/postgres v2.2.2
@cap-js/db-service v2.10.1
mbt v1.2.48

Related CVE's:

Related threat actors:

TeamPCP

IOC's:

SHA256: 1d9e4ece8e13c8eaf94cb858470d1bd8f81bb58f62583552303774fa1579edee, SHA1: e80824a19f48d778a746571bb15279b5679fd61c, MD5: e32eaf0c3cde9616831a1e92d42b0058, SHA256: eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb, SHA1: ca4a5bb85778ffcd2153ace88fe2d882c8ceeb23, MD5: b523a69b27064d1715d1f0aaffcfae63, SHA256: 258257560fe2f1c2cc3924eae40718c829085b52ae3436b4e46d2565f6996271, SHA1: 4b04304f6d51392e3f43856c94ca95800518a694, MD5: d468f16eafccbc54a994f3d675ace8ae, SHA256: a1da198bb4e883d077a0e13351bf2c3acdea10497152292e873d79d4f7420211, SHA1: 7b6a28e92149637e5d7c7f4a2d3e54acd507c929, MD5: 8cd683f78735c9bfc32600c73d3d9abe, SHA256: 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95, SHA1: bc95cc5dda788295aa0c9456791520599ef99526, MD5: 6fb87d243b011b5445f379f80e1a6b4d, SHA256: 86282ebcd3bebf50f087f2c6b00c62caa667cdcb53558033d85acd39e3d88b41, SHA1: 0af7415d65753f6aede8c9c0f39be478666b9c12, MD5: 04d8a99447b16f6839fff3b978f88d7e, SHA256: 80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac, SHA1: 6bc859aaee1f8885eec2a3016226e877e5adba08, MD5: 45dc9c02f82b4370ca92785282d43a86, SHA256: 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34, SHA1: 307d0fa7407d40e67d14e9d5a4c61ac5b4f20431, MD5: 35baf8316645372eea40b91d48acb067, setup.mjs, execution.js, __decodeScrambled cipher

This article was created with the assistance of AI technology by Perceptive.