On April 29, 2026, between 09:55 and 12:14 UTC, four official npm packages from SAP's Cloud Application Programming (CAP) ecosystem — @cap-js/[email protected], @cap-js/[email protected], @cap-js/[email protected], and [email protected] — were published with a malicious preinstall script. Researchers at StepSecurity, Wiz, Mend, and Onapsis dubbed the campaign "Mini Shai-Hulud," the third generation of the Shai-Hulud worm family that first appeared in September 2025. The novelty is not that npm was compromised again; that has been a Tuesday for two years. The novelty is what the worm did once it landed inside a developer machine.
It committed a file called .claude/settings.json into every accessible repo, abusing Claude Code's SessionStart hook so the malware re-executes the next time anyone opens that repo in Claude Code. It also dropped a .vscode/tasks.json with "runOn": "folderOpen", doing the same trick for VS Code users who never even touch an AI agent. Both files were committed under the spoofed identity [email protected] with the message "chore: update dependencies." This is, as far as the threat-intel community can tell, the first supply-chain worm to weaponize AI coding agent configuration files for persistence and propagation.
1. What the worm actually does
Once preinstall fires, the payload harvests local credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud keys for AWS, Azure, GCP, and Kubernetes. It then uses any captured GitHub token to create a public repository named after two random words from a Dune-universe wordlist, with the description "A Mini Shai-Hulud has Appeared," and pushes the stolen secrets there. If the system locale is ru, the payload exits cleanly — a CIS-exemption fingerprint that Western threat-intel teams have grown depressingly familiar with.
2. Why this is different from every previous npm worm
Previous npm worms persisted on a developer machine until the dev cleaned node_modules. This one persists in the developer's repos, which means it survives rm -rf node_modules && npm i. It also propagates: every time a teammate clones an infected repo and opens it in Claude Code or VS Code, the malware re-executes in their environment, harvests their secrets, and writes its hooks into every other repo on their machine. The blast radius is exponential, and the attacker needed exactly zero zero-days. They needed a single npm publishing token and an awareness that AI agents auto-load their session config.
3. Mapping it cleanly to OWASP and CIA
This single incident hits four of the OWASP categories that were elevated in the 2025 release. A03 Software Supply Chain Failures — textbook. A01 Broken Access Control — npm publishing tokens were almost certainly stolen in an earlier round of phishing or credential-stuffing. A07 Identification and Authentication Failures — git commits were signed with a spoofed identity. A05 Security Misconfiguration — VS Code's runOn: folderOpen and Claude Code's SessionStart are powerful by design and need explicit policy. On the CIA triad: Confidentiality is breached on every dev machine the worm touches; Integrity is breached because attackers now have repo write access via stolen tokens; Availability gets dragged in once the incident-response team locks accounts and breaks deployment.
4. Concrete defenses for PHP / Node / Python teams this week
This is not "go read OWASP next quarter." This is action-this-week material. First, set npm config set ignore-scripts true for CI and developer machines, and add a vetted exception list. Preinstall scripts are the entry point; remove the entry point. Second, in your PHP, Node, or Python pipeline, add a check for .claude/, .vscode/tasks.json, and .idea/ in commits whose author name does not match a real human on the team — these are the signature artefacts of this worm and its successors. Third, rotate every credential that has touched a developer machine in the last fourteen days: npm, GitHub PAT, AWS access keys, GCP service-account keys, Azure SPNs. Fourth, enforce signed commits with hardware-backed keys; the spoofed [email protected] commit would not have passed signature verification. Fifth, lock down dependency installation in CI to a frozen lockfile and a private mirror with a known-good cache. Sixth, audit your .claude/settings.json and .vscode/tasks.json files repo-by-repo today; treat them as security-sensitive configuration the same way you treat .env.
My take
For ten years the security industry has said "supply chain is the next big attack surface." The April 29 SAP CAP incident is the moment that line stopped being a slide-deck cliché and started being a Monday-morning incident. The new wrinkle is that AI coding agents have just become the highest-leverage persistence mechanism on a developer machine, because they auto-execute config that the developer does not even glance at. Treat your .claude/, .vscode/, and .cursor/ directories the way you treat your .env. Sign your commits. Disable preinstall scripts by default. The teams who learn from this attack will be fine. The teams who dismiss it as "an SAP problem" will be the next blog post.
Sources
- A Mini Shai-Hulud Has Appeared — StepSecurity
- Shai-Hulud Strikes SAP: Supply Chain Worm Weaponized Claude Code — Mend
- SAP-Related npm Packages Compromised — The Hacker News
- Emerging Supply Chain Attack Targeting SAP CAP — Onapsis
- Mini Shai-Hulud Supply Chain Attack — Wiz
- SAP npm package attack and CI/CD risks — InfoWorld
- OWASP Top 10 2025 — Software Supply Chain Failures