Four npm packages at the heart of SAP's enterprise development ecosystem were quietly backdoored on Tuesday, April 29, 2026 — weaponizing the routine npm install command to drain credentials from developer machines and corporate CI/CD pipelines.
The operation, which researchers are calling "Mini Shai-Hulud," has already left a visible scar across GitHub: over 1,000 developer repositories have been poisoned, all stamped with the same attacker's signature — "A Mini Shai-Hulud has Appeared."
The compromised packages are
- [email protected]
- @cap-js/[email protected]
- @cap-js/[email protected]
- @cap-js/[email protected]
Together, they pull roughly 570,000 weekly downloads. These are not fringe libraries — they are core components of SAP's Cloud Application Programming Model (CAP), used by enterprise teams building cloud applications on SAP's Business Technology Platform, and in MTA (Multi-Target Application) deployment pipelines that touch production SAP systems.
What the Malware Actually Does
The normal package code in the affected versions still matches the legitimate SAP packages byte-for-byte. The compromise lives entirely in a pre-install hook and two added files. Aikido
Stage one is setup.mjs — a Bun runtime bootstrapper. It checks the operating system and architecture, downloads Bun 1.3.13 from GitHub when needed, extracts the binary, and runs execution.js with Bun. Routing the download through an official GitHub release URL was deliberate — it looks like legitimate traffic to most network-level egress filters. Aikido
Stage two is where the real damage happens. execution.js is an 11MB single-line obfuscated JavaScript blob that hunts for developer credentials in three phases: checking whether it's running inside GitHub Actions (CI/CD), scanning the filesystem and shell environment for GitHub OAuth tokens, npm automation tokens, and AWS/Azure/GCP credentials, then exfiltrating everything over HTTPS to an attacker-controlled C2 endpoint using layered AES-256-GCM plus RSA-OAEP encryption.
For any victim running inside GitHub Actions with a workflow-scoped token, the malware goes further: it uses the stolen token to commit malicious files — including a .vscode/tasks.json — directly to the victim's own repositories. Any developer who later clones and opens the compromised repository in VS Code will re-trigger the dropper. It's persistence through the developer's own trusted toolchain.
How the Attacker Got In
It has been reported that the attacker compromised a legitimate SAP developer account (RoshniNaveenaS) and modified a GitHub Actions workflow to exchange a GitHub OIDC (OpenID Connect) token for a live npm publish token scoped to @cap-js/sqlite.
The critical flaw: npm's trusted publishing configuration for that package trusted any workflow in the cap-js/cds-dbs repository — not just the canonical release workflow on the main branch. A push to a non-main branch was enough to obtain a valid publish credential.
The mbt package used a separate maintainer set, and its publish token appears to have been stolen through a different, as-yet-unconfirmed vector.
Familiar Playbook, High-Value Target
The attack's hallmarks — Bun-as-dropper, preinstall-phase execution, obfuscated credential harvester, repository poisoning — connect it directly to the Shai-Hulud malware family that has plagued the npm ecosystem since late 2025.
As we covered at Cyber Kendra, the original Shai-Hulud campaign compromised over 700 npm packages, including official CrowdStrike packages, and its second wave impacted more than 27,000 GitHub repositories and exposed approximately 14,000 secrets across hundreds of organizations. This latest variant targets a narrower set of packages but targets a far more privileged environment — enterprise SAP pipelines with access to production cloud infrastructure.
The payload targets GitHub, npm, cloud providers, Kubernetes, CI secrets, and local developer tooling — do not limit rotation to npm tokens.
What You Need to Do Right Now
If any of the four affected versions touched your environment on or after April 29, 2026:
- Rotate everything immediately — GitHub tokens (all scopes), npm tokens, AWS/Azure/GCP access keys, and any CI/CD secrets
- Audit your repositories for unexpected
tasks.jsonadditions in.vscode/or.claude/directories, and search your GitHub account for the description string "A Mini Shai-Hulud has Appeared." - Review CI/CD logs for unexpected Bun process spawns from temp directories during
npm install - Check lockfiles for the four compromised version strings and downgrade to the last clean versions (
@cap-js/[email protected],@cap-js/[email protected],@cap-js/[email protected],[email protected]) - Harden OIDC publishing configs by scoping trusted publishers to a specific workflow file on a protected branch, not a repository broadly
Socket is actively tracking the campaign. This is a developing story.