top of page
perceptive_background_267k.jpg

A Mini Shai-Hulud Has Appeared: Obfuscated Bun Runtime Payloads Hit SAP-Related npm Packages

Published:

4 mei 2026 om 17:20:04

Alert date:

4 mei 2026 om 18:09:25

Source:

stepsecurity.io

Click to open the original link from this advisory

Supply Chain & Dependencies, Enterprise Applications

StepSecurity discovered a new npm supply chain attack campaign called Shai-Hulud that uses preinstall hooks to download the Bun JavaScript runtime and execute an 11 MB obfuscated payload. The attack specifically targets SAP-related npm packages in the ecosystem. At least two SAP-ecosystem packages have been confirmed as compromised so far. The campaign uses obfuscated payloads and represents an active supply chain threat to organizations using affected npm packages. This attack demonstrates sophisticated techniques by leveraging the Bun runtime environment to execute malicious code.

Technical details

Mitigation steps:

Affected products:

npm
SAP-related packages
Bun JavaScript runtime

Related links:

https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page