Mini Shai-Hulud is a malware campaign that targeted the software supply chain for SAP cloud development by injecting malicious code into specific npm packages. Active for a few hours on April 29, 2026, the attack was designed to steal sensitive credentials, including GitHub tokens, npm tokens, and cloud credentials from developers using these tools.
This incident represents a significant software supply chain attack against the SAP ecosystem, exploiting the trust developers place in open-source packages. The malware, a variant of the “Shai-Hulud” worm, was embedded in four npm packages related to the SAP Cloud Application Programming Model (CAP) and Multi-Target Applications (MTA). Upon installation, it used automation features in popular code editors and pre-install scripts to execute a payload that harvested credentials and exfiltrated them by creating public GitHub repositories. This advisory details the attack, lists the affected packages, and provides clear remediation steps for developers and organizations to secure their environments.
Key Takeaways
- Targeted Supply Chain Attack: Mini Shai-Hulud specifically targeted SAP developers via malicious npm packages.
- Credential Theft: The primary goal was to steal GitHub tokens, npm tokens, and cloud credentials.
- Four Packages Compromised: Specific versions of
@cap-js/sqlite,@cap-js/postgres,@cap-js/db-service, andmbtwere affected. - Immediate Action Required: Organizations must check for compromised systems, remove malicious packages, and rotate all potentially exposed credentials.
- Highlights Open-Source Risk: The attack underscores the need for governance over open-source dependencies in enterprise development.
Which SAP npm Packages Were Affected?
The Mini Shai-Hulud malware was found in specific versions of four npm packages commonly used in SAP cloud development. On April 30, SAP released SAP Security Note 3747787 in response to the discovery. The packages were available in the compromised state for approximately two to four hours on April 29, 2026.
| Package Name | Malicious Version |
|---|---|
@cap-js/sqlite | v2.2.2 |
@cap-js/postgres | v2.2.2 |
@cap-js/db-service | v2.10.1 |
mbt | v1.2.48 |
These packages are connected to the SAP Cloud Application Programming Model (CAP) and are used to build service layers, APIs, and extensions for various SAP solutions on the SAP Business Technology Platform (BTP).
How Does the Mini Shai-Hulud Attack Work?
The attack was initiated when a developer installed one of the compromised npm packages, triggering a malicious preinstall script. The malware used several mechanisms to execute its payload and remain persistent.
- Automated Execution: The malware added malicious configuration files like
.vscode/tasks.jsonand.claude/settings.json. These files were configured to automatically execute code when a developer opened the project folder in VS Code or started a Claude Code session. - Payload Download: The initial script downloaded the Bun JavaScript runtime, which was then used to run a large, obfuscated 11.2 MB JavaScript file (
execution.js) with full user privileges. Using Bun instead of Node.js helped bypass some security tools focused on Node. - Credential Theft: The primary payload scanned the developer’s machine for sensitive credentials, including GitHub tokens, npm tokens, cloud credentials (AWS, Azure, GCP), Kubernetes configurations, and SSH keys.
- Data Exfiltration: Stolen data was encrypted and exfiltrated by creating new public repositories on the victim’s own GitHub account, often with descriptions like “A Mini Shai-Hulud has Appeared”.
- Propagation: In continuous integration (CI) environments, the malware attempted to tamper with release pipelines to exfiltrate npm OIDC credentials and publish more trojanized packages, demonstrating worm-like behavior.
What Are the Recommended Actions?
If you suspect exposure, take immediate and decisive action to contain the threat and secure your environment. Do not open potentially compromised project directories in code editors until they have been verified.
How to Check if Your System is Compromised
You can run a command in your shell (outside of any IDE) to check for the presence of the malicious setup files. The presence of either file indicates a compromised system.
Execute the following command:ls path/to/cds-dbs/.claude/setup.mjs path/to/cds-dbs/.vscode/setup.mjs 2>/dev/null
If this command returns any file paths, treat the system as compromised and begin incident response procedures.
Remediation and Security Steps
- Isolate and Verify: Identify all developer workstations, build agents, and CI/CD pipelines where the affected npm packages or versions might have been installed.
- Remove or Upgrade: Remove the compromised packages or upgrade them to clean, verified versions.
- Rotate Credentials: Immediately rotate all credentials that may have been exposed. This includes GitHub tokens, npm tokens, cloud service credentials, CI/CD pipeline secrets, and any service account credentials.
- Audit Repositories and Logs:
- Review GitHub repositories for suspicious commits, unexpected workflow changes, or the presence of
.vscode/tasks.jsonand.claude/settings.jsonfiles. - Audit CI/CD logs,
npm installactivity, GitHub token usage, and cloud access logs around the time of the suspected exposure.
What Does This Attack Mean for Software Supply Chain Security?
The Mini Shai-Hulud campaign is a clear illustration of the growing risks associated with software supply chain attacks in modern SAP development. Instead of directly targeting SAP systems, the attackers targeted the open-source tools and libraries that developers trust.
This incident highlights that risk is not confined to an organization’s custom code but extends to all third-party and open-source dependencies. Malicious code can enter an organization through development tools, libraries, and automated build pipelines, creating an indirect path to sensitive data and systems. It reinforces the critical need for robust governance over open-source dependencies, package sources, CI/CD security, and developer credential management.
In contrast, the Cybersecurity Extension for SAP from Layer Seven Security is developed as a completely closed-source solution, which avoids the risks associated with public package ecosystems and open-source components.
Frequently Asked Questions (FAQ)
What is Mini Shai-Hulud?
Mini Shai-Hulud is a malware campaign that targeted SAP developers through a software supply chain attack. It involved injecting malicious, credential-stealing code into four widely used npm packages related to SAP cloud development.
What was the goal of the Mini Shai-Hulud malware?
The primary goal was to steal sensitive credentials from developers, including GitHub and npm tokens, as well as secrets for cloud platforms like AWS, Azure, and GCP.
Which npm packages were affected by Mini Shai-Hulud?
The compromised packages were @cap-js/sqlite (v2.2.2), @cap-js/postgres (v2.2.2), @cap-js/db-service (v2.10.1), and mbt (v1.2.48).
How do I check if I was affected by this attack?
Run the command ls path/to/cds-dbs/.claude/setup.mjs path/to/cds-dbs/.vscode/setup.mjs 2>/dev/null in a shell. If it returns a file path, your system should be considered compromised, and you must begin incident response, including rotating all credentials.