top of page
perceptive_background_267k.jpg

A Mini Shai-Hulud has Appeared: Obfuscated Bun Runtime Payloads Hit SAP-Related npm Packages

Published:

29 April 2026 at 12:21:21

Alert date:

29 April 2026 at 13:01:49

Source:

stepsecurity.io

Click to open the original link from this advisory

Supply Chain & Dependencies, Enterprise Applications

StepSecurity discovered a new npm supply chain attack campaign called Shai-Hulud that uses preinstall hooks to download the Bun JavaScript runtime and execute an 11 MB obfuscated payload. The attack targets SAP-ecosystem packages, with at least two confirmed compromised packages identified so far. The campaign demonstrates sophisticated supply chain attack techniques by leveraging legitimate JavaScript runtime environments to deliver malicious payloads. The obfuscated nature of the payload and its large size suggest a complex attack framework. This represents an active threat to organizations using SAP-related npm packages in their development environments.

Technical details

Mitigation steps:

Affected products:

npm
SAP ecosystem packages
Bun JavaScript runtime

Related links:

https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page