Malicious SAP npm Packages Exploit Developer Credentials in Sophisticated Supply Chain Attack
Attack Targets SAP's JavaScript and Cloud Development Ecosystem
Cybersecurity researchers have uncovered a supply chain attack targeting SAP-related npm packages, exposing critical vulnerabilities in developer tools and continuous integration/continuous delivery (CI/CD) pipelines. The campaign, dubbed “mini Shai-Hulud,” compromised packages used in SAP’s JavaScript and cloud application development frameworks.
Malicious versions of packages including mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2 were published on April 29. They were later replaced by safe releases, but not before infecting systems. The malware steals developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, GCP, and Kubernetes environments.
“The fact that the malware was designed to harvest all these credentials in a single pass tells you that attackers now treat the developer workstation as a master key,” said Sakshi Grover, senior research manager for IDC Asia Pacific Cybersecurity Services. The attack highlights a widening security gap between development environments and production systems.
Researchers from SafeDep, Aikido Security, Wiz, and other firms analyzed the campaign. They found that the malware encrypts stolen data and exfiltrates it to public GitHub repositories created from the victims’ own accounts. The attackers also used stolen tokens to inject malicious GitHub Actions workflows into accessible repositories and publish further poisoned packages.
SafeDep reported that the attackers exploited a configuration flaw in npm’s OIDC trusted publishing setup for the @cap-js packages. For the mbt package, the compromise likely involved a static npm token. Additionally, the malware attempted to persist through configuration files for Visual Studio Code and Claude Code, bringing developer workstations and AI-assisted coding tools into the supply chain threat landscape.
Background
The mini Shai-Hulud campaign underscores the increasing sophistication of software supply chain attacks. While previous incidents like SolarWinds focused on compromising build servers, this attack targets the developer environment directly, using it as a springboard to infiltrate CI/CD pipelines and cloud resources. The use of GitHub and npm tokens to propagate malicious packages mirrors techniques seen in other recent npm attacks, but the scope of credential harvesting across multiple cloud providers is notable.
According to IDC’s Asia Pacific Security Survey 2025, 46% of enterprises plan to deploy AI for third-party and supply chain risk analysis within 12 to 24 months. However, many organizations are still planning and have not yet operationalized AI-driven defenses, leaving them vulnerable to attacks like mini Shai-Hulud.
“A single compromised developer identity in a CI/CD pipeline can give attackers a route into the wider software supply chain,” Grover added. “They can push malicious code into packages that downstream developers may install with little visibility into tampering.”
What This Means
For chief information security officers (CISOs), this case demonstrates how quickly a tainted dependency can move beyond the build process. Developer environments, though central to enterprise software delivery, are still not governed with the same rigor as production systems. The attack adds urgency to calls for tighter controls on npm tokens, OIDC configurations, and access to CI/CD secrets.
Sunil Varkey, a cybersecurity analyst, described the campaign as a case of “living off the land,” where attackers use legitimate tools and credentials to persist. The inclusion of Visual Studio Code and Claude Code configuration files suggests that AI-assisted coding tools are becoming an attractive target. Security teams should audit third-party plugins and review OIDC trust policies for package registries.
Immediate steps include rotating all compromised credentials, scanning GitHub repositories for unknown workflows, and monitoring for anomalous package publishing. Read more about the background. The attack reinforces the need for continuous monitoring of developer workstations and a shift-left approach to security.