Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm packages with data-stealing malware.
According to reports from Aikido Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz, the campaign – which calls itself the younger Shai-Hulud – affected the following packages associated with SAP’s JavaScript and cloud application development ecosystem –
- mbt@1.2.48
- @cap-js/db-service@2.10.1
- @cap-js/postgres@2.2.2
- @cap-js/sqlite@2.2.2
“The affected versions introduced new installation-time behavior that was not part of the expected functionality of these packages,” Socket said. “The vulnerable release added a preinstalled script that acts as a runtime bootstrapper, downloading a platform-specific Bun ZIP from a GitHub release, extracting it, and immediately signing the extracted Bun binary.”
“The implementation also follows HTTP redirects without validating the destination and uses PowerShell with -ExecutionPolicy Bypass on Windows, increasing the risk to affected developer and CI/CD environments.”
Wiz noted that the malicious packages match several characteristics present in previous TeamPCP operations, indicating that the same threat actor may be behind the latest campaign.
Suspicious versions were published on April 29, 2026, between 09:55 UTC and 12:14 UTC. Toxic packages introduce a package.json preinstallation hook that uses a file named “setup.mjs,” which serves as a loader for the Bun JavaScript runtime to execute the validation hacker and the distribution framework (“execution.js”).
According to Aikido, the malware is designed to harvest local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. The stolen data is encrypted and released to public GitHub repositories created on the victim’s account with the description “Mini Shai-Hulud Appears.” As of writing, there are more than 1,100 annotated storage locations.
In addition, the 11.6 MB download comes with the ability to self-distribute developer and release workflows, specifically using GitHub tokens and npm to inject malicious GitHub Actions workflows into victim repositories to steal repository secrets and publish poisoned versions of npm packages to the registry.
However, the latest incident is quite different from the previous Shai-Hulud waves –
- All encrypted data is encrypted with AES-256-GCM and includes a key using RSA-4096 with the public key embedded in the payload, making it clear only to an attacker.
- Available on Russian-locale systems.
- The payload commits itself to every accessible GitHub repository by injecting a “.claude/settings.json” file that abuses Claude Code’s SessionStart hook and a “.vscode/tasks.json” file with “runOn”: “folderOpen” settings so that any attempt to open the infected malware repository in Microsoft Code (ViV Code) is killed.
“This is one of the first supply chain attacks targeting AI code agent configuration as a continuous vector propagation,” StepSecurity said.
Further root analysis revealed that the attackers compromised the RoshniNaveenaS account for three “@cap-js” packages, followed by pushing a modified workflow to a non-master branch and using the issued OIDC token to publish malicious packages anonymously. As for mbt, it is suspected to involve corruption of the npm static token “cloudmtabot” via an undetermined channel.
“The cds-dbs team moved to the npm OIDC trusted release in November 2025,” SafeDep said. “Under this setup, GitHub Actions can request a temporary npm token without storing any long-lived secrets in the repository. The attacker reproduced this exchange with a CI step and printed the resulting token.”
“Important configuration gap: npm’s OIDC reliable publisher configuration for @cap-js/sqlite relies on any workflow in cap-js/cds-dbs, not just the canonical release-please.yml primary. Branch push can replace the OIDC token with the package name if the workflow has a write id and environment token.”
In response to this incident, package maintainers have released new secure versions that replace the corrupted release –
