216.73.217.64

Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware

· Published 30/04/2026 00:12 · Modified 30/04/2026 07:47

Export JSON

Essential information

Published
30/04/2026 00:12
Modified
30/04/2026 07:47
Tags
2026-04-30 ci/cd compromise credential-theft github exfiltration mini shai hulud npm packages sap ecosystem supply chain attack
Related entities
10 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware, 1 others

Description

A supply chain operation dubbed '' compromised SAP-related by injecting malicious preinstall scripts that execute during installation. The campaign leverages multi-stage payloads to harvest developer and CI/CD secrets from GitHub, npm, and major cloud providers, exfiltrating data via attacker-controlled GitHub repositories. Malicious versions of legitimate packages execute obfuscated payloads that collect GitHub tokens, npm credentials, cloud secrets from AWS, Azure and GCP, Kubernetes tokens, and GitHub Actions secrets. The malware includes propagation logic to infect additional repositories and features browser credential theft capabilities. It performs language checks to avoid Russian-speaking systems. Attribution points to TeamPCP based on shared RSA public keys and overlapping techniques from previous operations.

External references