On April 29, 2026, between 09:55 and 12:14 UTC, attackers published malicious versions of four npm packages used in SAP's Cloud Application Programming Model: mbt, @cap-js/db-service, @cap-js/sqlite, and @cap-js/postgres. The campaign, dubbed "Mini Shai-Hulud" by researchers, plants a preinstall hook in package.json that runs setup.mjs, which in turn loads the Bun JavaScript runtime to execute an 11.6 MB credential-stealer plus self-propagation framework. The malware harvests local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. The stolen data is encrypted and exfiltrated to public GitHub repositories created on the victim's own account, captioned "A Mini Shai-Hulud has Appeared." Over 1,100 such repositories already exist.
The worm propagates: it uses the harvested GitHub and npm tokens to inject a malicious GitHub Actions workflow into the victim's other repositories and publish further poisoned packages. One developer who runs npm install can take their entire team — and the open-source projects that team maintains — down with them.
1. The Old Defenses Failed Cleanly
This attack defeated three controls most teams trust by default. Lockfile pinning did not help because the malicious version was published as a fresh release. CI sandboxing did not help because the payload runs at preinstall on developer laptops. SCA scanners did not help because the package was clean yesterday. The compromise vector was npm publish credentials of the maintainer — exactly the credential type the worm itself harvests, which is why this category of attack accelerates once it starts.
2. Map It to the CIA Triad
Confidentiality: developer credentials, source code, cloud secrets — all exfiltrated. Integrity: malicious GitHub Actions workflows injected into legitimate repositories, signed builds tampered with. Availability: not the primary target, but the cleanup forces token rotation, key rotation, and pipeline freeze, which is its own outage. The attack hits all three legs at once.
3. Concrete Defenses You Can Ship This Week
Block install scripts in CI. Use npm install --ignore-scripts or pnpm install --ignore-scripts for any pipeline that does not strictly need them. Pin to integrity hashes, not just version numbers. Move npm publish tokens to short-lived OIDC, kill long-lived classic tokens. Quarantine new dependency versions for 24–72 hours before they reach production builds. Run dependency installs in ephemeral, network-restricted sandboxes on developer machines where possible.
4. Yes, This Applies to PHP and Python Teams
This is an npm story, but the structural lesson is universal. Composer (PHP) and PyPI (Python) have shipped functionally identical compromises in the last 18 months. The package manager is the trust boundary, and that trust boundary is undefended on most laptops. Audit your supply chain controls regardless of language.
5. Input Validation Is Still Not Optional
This worm did not exploit a memory-corruption bug. It exploited implicit trust in third-party code that runs at install time with full developer privileges. The OWASP Top 10:2025 promoted Software Supply Chain Failures to A03 for exactly this reason — the category has the highest average exploit and impact scores from CVEs. Treating dependencies as untrusted input — and validating them like any other input — is now table stakes.
My Take
I keep seeing teams budget security like it is a feature: a quarterly initiative, a checkbox, a once-a-year audit. Mini Shai-Hulud is the latest reminder that supply-chain attacks are operational risk, not a compliance category. The worm self-propagates through the credentials it steals; that means every additional day a poisoned package sits unflagged in your pipeline raises the radius of the next compromise. The teams that survive 2026 will treat their dependency tree the way banks treat their AML pipeline: continuous, automated, paranoid, and assumed-hostile by default. Your node_modules folder is not a manifest of helpful libraries; it is an attack surface signed by people you have never met. Build accordingly.
Sources
- SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack — The Hacker News
- Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer — Aikido
- Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware — Wiz
- Bun-Based Stealer Hits SAP CAP npm Packages — Snyk
- OWASP Top 10:2025 — Introduction