Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware
Essential information
- Published
- 30/04/2026 00:12
- Modified
- 30/04/2026 07:47
- Tags
- 2026-04-30 ci/cd compromise credential-theft github exfiltration mini shai hulud npm packages sap ecosystem supply chain attack
- Related entities
- 10 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware, 1 others
Description
A supply chain operation dubbed 'Mini Shai Hulud' compromised SAP-related npm packages by injecting malicious preinstall scripts that execute during installation. The campaign leverages multi-stage payloads to harvest developer and CI/CD secrets from GitHub, npm, and major cloud providers, exfiltrating data via attacker-controlled GitHub repositories. Malicious versions of legitimate SAP ecosystem packages execute obfuscated payloads that collect GitHub tokens, npm credentials, cloud secrets from AWS, Azure and GCP, Kubernetes tokens, and GitHub Actions secrets. The malware includes propagation logic to infect additional repositories and features browser credential theft capabilities. It performs language checks to avoid Russian-speaking systems. Attribution points to TeamPCP based on shared RSA public keys and overlapping techniques from previous operations.