At 09:55 UTC yesterday, a threat actor calling itself TeamPCP published malicious versions of four widely-used SAP-ecosystem npm packages — mbt, @cap-js/db-service, @cap-js/sqlite and @cap-js/postgres. The campaign, named "Mini Shai-Hulud" in homage to last November's larger Shai-Hulud worm, finished publishing by 12:14 UTC. By the time most European developers got home from work, the malicious versions had already been fetched into thousands of CI runners and developer laptops.
The package itself is short: a package.json preinstall hook calls setup.mjs, which downloads and unpacks the Bun JavaScript runtime, then executes execution.js — a credential stealer compiled into a single self-contained Bun binary. What makes this attack the most "2026" attack we have seen is what execution.js does after it finishes stealing.
1. The three things every dev should do before lunch
First, audit what you have. Run npm ls mbt @cap-js/db-service @cap-js/sqlite @cap-js/postgres in every project. If any version of these packages from 09:55–12:14 UTC on April 29 made it into your package-lock.json, treat the host as compromised: rotate every npm token, GitHub PAT, AWS/Azure/GCP key, and SSH key that was loadable from that machine.
Second, check for persistence. Search every cloned repo on the machine for newly-added .claude/settings.json, .vscode/tasks.json with "runOn": "folderOpen", and .cursor/rules files. Mini Shai-Hulud commits these into every git repo it can write to, abusing Claude Code's SessionStart hook and VS Code's folder-open task as re-execution triggers. Open the wrong repo in your editor next Monday and the malware re-runs.
Third, search GitHub. The exfiltration path is novel: the malware creates a public repository on the victim's own GitHub account with the description "A Mini Shai-Hulud has Appeared" and pushes the encrypted stolen secrets there. Search your org for that exact description. If it exists, you have an answer to the question "did we get hit."
2. Why this is the OWASP 2026 story in miniature
The 2026 OWASP Top 10 (released this month after a four-year gap) keeps SQL injection at #1 and Broken Authentication at #2, but the rising star of the new list is the merger of "Vulnerable and Outdated Components" with "Software and Data Integrity Failures" into one expanded category — and Mini Shai-Hulud is the textbook example. Every OWASP control failed in sequence here: integrity check on transitive dependencies (none), provenance attestation (none), package pinning beyond major version (frequently absent), credential scoping (most npm tokens are full-write), and developer machine isolation (most engineers run installs as their daily user). The CIA triad of confidentiality, integrity and availability all collapse simultaneously: confidential secrets exfiltrated, integrity of the developer's repos compromised, availability of CI/CD broken once tokens are revoked.
3. The new persistence playbook
The bigger story is the use of AI coding agent configurations as a persistence vector. As StepSecurity put it: this is one of the first supply chain attacks to weaponize AI coding agent files for re-execution. Expect to see this pattern repeated through 2026. Defensive guidance is starting to converge: treat .claude/, .cursor/, .windsurf/, .github/copilot-instructions.md and AGENTS.md files as security-relevant assets — review every change in PRs, the same way you would review changes to Dockerfile or CI pipelines. Pin transitive dependencies via npm's --ignore-scripts flag in CI, and only allow scripts to run for an explicit allow-list of packages. Use short-lived OIDC tokens for npm publish and GitHub Actions; never store long-lived NPM_TOKEN in environments that touch arbitrary code.
My Take
The original Shai-Hulud worm taught the npm community that supply chain attacks could self-propagate. Mini Shai-Hulud teaches us something slightly different: the developer's editor is now part of the supply chain. The same AGENTS.md and .claude/settings.json files that make AI coding agents more useful, are now the same files that make supply chain malware more persistent. The defense is not to abandon AI coding agents — that train left — but to start treating their configuration the way we already treat secrets: scoped, reviewed, signed, and never trusted by default.
Sources
- SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack — The Hacker News
- Supply Chain Campaign Targets SAP npm Packages — Wiz Blog
- Mini Shai-Hulud Targets SAP npm Packages — Aikido
- Bun-Based Stealer Hits SAP CAP npm Packages — Snyk
- OWASP Top 10 — 2026 Released After Four Years — GBHackers