Full Report
Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware. According to reports from Aikido Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz, the campaign – calling itself the mini Shai-Hulud – has affected the following packages associated with SAP's JavaScript and cloud application
Analysis Summary
# Tool/Technique: Mini Shai-Hulud
## Overview
Mini Shai-Hulud is a sophisticated credential-stealing malware and propagation framework distributed via compromised SAP-related npm packages. The malware targets developers and CI/CD environments, utilizing the Bun JavaScript runtime to execute cross-platform payloads. It is notable for being one of the first supply chain attacks to target AI coding agent configurations (specifically Claude Code) for persistence and lateral movement.
## Technical Details
- **Type:** Malware (Credential Stealer / Worm / Propagation Framework)
- **Platform:** Windows, macOS, Linux (via Bun runtime)
- **Capabilities:** Credential harvesting, self-propagation, cloud secret exfiltration, AI agent hijacking.
- **First Seen:** April 29, 2026
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.007 - Command and Scripting Interpreter: JavaScript
- **TA0003 - Persistence**
- T1546 - Event-Triggered Execution (via IDE/AI Agent hooks)
- **TA0006 - Credential Access**
- T1552.001 - Unsecured Credentials: Credentials In Files
- T1555 - Credentials from Password Stores
- **TA0010 - Exfiltration**
- T1567.001 - Exfiltration Over Web Service: Exfiltration to Code Repository
## Functionality
### Core Capabilities
- **Script-Based Execution:** Uses a `preinstall` hook in `package.json` to trigger `setup.mjs`.
- **Runtime Bootstrapping:** Downloads a platform-specific Bun ZIP binary from GitHub, extracts it, and executes the primary malicious logic (`execution.js`).
- **Credential Harvesting:** Aggressively targets local developer environments to steal:
- GitHub and npm tokens.
- GitHub Actions secrets.
- Cloud provider credentials (AWS, Azure, GCP).
- Kubernetes configuration files.
- **Data Encryption:** Encrypts all harvested data using AES-256-GCM, with the session key wrapped via RSA-4096 (making data recoverable only by the attacker).
### Advanced Features
- **AI Agent Hijacking:** Injects a malicious `.claude/settings.json` file to abuse the Claude Code "SessionStart" hook for persistence.
- **IDE Persistence:** Modifies `.vscode/tasks.json` with the `runOn: folderOpen` setting to execute malware whenever a developer opens the repository in VS Code.
- **Self-Propagation:** Uses stolen npm and GitHub tokens to inject malicious workflows into existing repositories and publish poisoned package versions to registries.
- **Automated Exfiltration:** Creates new, public GitHub repositories on the victim's account named "A Mini Shai-Hulud has Appeared" to host encrypted stolen data.
## Indicators of Compromise
- **File Names:**
- `setup.mjs`
- `execution.js`
- `.claude/settings.json`
- `.vscode/tasks.json` (modified)
- **Compromised npm Packages (Specific Versions):**
- `[email protected]`
- `@cap-js/[email protected]`
- `@cap-js/[email protected]`
- `@cap-js/[email protected]`
- **Behavioral Indicators:**
- Spawning of PowerShell with `-ExecutionPolicy Bypass`.
- Unannounced downloads of Bun runtime binaries from GitHub during `npm install`.
- Creation of GitHub repositories with the description: "A Mini Shai-Hulud has Appeared".
- Outbound HTTP connections to `github[.]com` for exfiltration.
## Associated Threat Actors
- **TeamPCP:** Researchers linked the campaign to previous TeamPCP operations based on technical overlaps and code patterns.
## Detection Methods
- **Behavioral Detection:** Monitoring for GitHub/npm package installation scripts that download and execute external binaries or modify IDE configuration files.
- **Auditing:** Searching for the string "A Mini Shai-Hulud has Appeared" in organization GitHub repositories.
- **Token Monitoring:** Alerts for abnormal usage of npm/GitHub tokens outside of standard CI/CD IP ranges.
## Mitigation Strategies
- **Dependency Pinning:** Use lockfiles (`package-lock.json`) and verify hashes.
- **Execution Policy:** Enforce strict PowerShell execution policies and audit the use of `bypass` flags.
- **CI/CD Hardening:** Use "OpenID Connect" (OIDC) for cloud authentication instead of long-lived secrets/keys.
- **Hook Monitoring:** Audit repository-level configuration files (`.vscode`, `.claude`, `.github/workflows`) for unauthorized changes.
- **Environment Isolation:** Use containers or ephemeral environments for package installation and testing.
## Related Tools/Techniques
- **Shai-Hulud:** Prior malware waves sharing similar names and core behaviors.
- **Typosquatting/Dependency Confusion:** General techniques often used in conjunction with these supply chain attacks.