Full Report
Malicious versions of legitimate SAP ecosystem packages (e.g., @cap-js/sqlite, @cap-js/postgres) were created by modifying them to include a preinstall script that executes setup.mjs automatically during npm install. This script downloads the Bun runtime and executes an obfusc...
Analysis Summary
# Incident Report: Supply Chain Campaign targeting SAP npm Packages
## Executive Summary
A sophisticated supply chain attack targeted the SAP ecosystem by publishing trojanized versions of popular npm packages (e.g., `@cap-js/sqlite`, `@cap-js/postgres`). The malware, dubbed "Mini Shai Hulud," was designed to exfiltrate developer credentials and cloud secrets while propagating itself through GitHub repositories. The campaign significantly impacted CI/CD pipelines and developer environments, though it contained a hardcoded kill-switch to avoid infecting Russian-language systems.
## Incident Details
- **Discovery Date:** April 29, 2026
- **Incident Date:** Circa April 2026
- **Affected Organization:** SAP Ecosystem / Developers using `@cap-js` packages
- **Sector:** Information Technology / Software Development
- **Geography:** Global (excluding Russian-speaking systems)
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Supply Chain Compromise (Typosquatting/Trojanized npm packages)
- **Details:** Attackers uploaded malicious versions of legitimate SAP ecosystem packages to the npm registry. These included a `preinstall` script in the `package.json` file.
### Lateral Movement
- The malware contains built-in propagation logic designed to infect additional repositories and package distributions, effectively moving from the initially compromised developer environment to other projects and the broader npm ecosystem.
### Data Exfiltration/Impact
- **Credential Theft:** Stole GitHub tokens, npm credentials, AWS/Azure/GCP secrets, and Kubernetes tokens.
- **CI/CD Impact:** Extracted GitHub Actions secrets directly from runner memory.
- **Exfiltration Method:** Encrypted payloads were posted to public GitHub repositories controlled by the attackers.
### Detection & Response
- **How it was discovered:** Analysis by security researchers (Wiz) identifying malicious `preinstall` hooks in SAP-related packages.
- **Response actions taken:** Packages identified; report finalized by May 11, 2026. (Specific takedown actions by npm/GitHub implied by the "Finalized" status).
## Attack Methodology
- **Initial Access:** Publishing trojanized npm packages using legitimate-sounding names.
- **Persistence:** Implementation within CI/CD pipelines and local developer environments via `npm install` hooks.
- **Privilege Escalation:** Not explicitly detailed, but targeted extraction of administrative tokens (K8s/Cloud).
- **Defense Evasion:**
- Obfuscated JavaScript payloads (`execution.js`).
- Use of the Bun runtime to execute scripts (possibly to bypass Node-specific monitoring).
- **Geofencing:** Terminates if the system locale/language is set to Russian ('ru').
- **Credential Access:** Scraping environment variables, config files, and high-value secrets from runner memory.
- **Discovery:** System checks for language/locale and environment variables.
- **Lateral Movement:** Automated propagation logic to infect other repositories.
- **Collection:** Automated gathering of cloud provider and VCS credentials.
- **Exfiltration:** Posting encrypted data to public GitHub repositories.
- **Impact:** Supply chain contamination and widespread credential compromise.
## Impact Assessment
- **Financial:** High (potential for unauthorized cloud resource usage via stolen AWS/Azure/GCP keys).
- **Data Breach:** High-volume theft of sensitive developer and deployment secrets.
- **Operational:** Disruption of CI/CD pipelines and requirement for mass credential rotation.
- **Reputational:** Moderate for SAP ecosystem; highlights risks in npm dependency management.
## Indicators of Compromise
- **Network indicators:**
- Connections to GitHub[.]com for data exfiltration via repo posts.
- **File indicators:**
- `setup.mjs` (Malicious loader)
- `execution.js` (Obfuscated payload)
- Modified `package.json` with `preinstall` scripts.
- **Behavioral indicators:**
- Unauthorized execution of the **Bun** runtime during `npm install`.
- Unusual memory access patterns in GitHub Actions runners.
## Response Actions
- **Containment:** Removal of malicious packages from the npm registry.
- **Eradication:** Revocation of all secrets (GitHub tokens, Cloud keys) identified as potentially compromised.
- **Recovery:** Rotating npm publishing credentials and auditing GitHub repository history for unauthorized commits.
## Lessons Learned
- **Key takeaways:** Malicious `preinstall` scripts remain a highly effective vector for attacking developers.
- **Process Gaps:** Dependence on third-party ecosystem packages without strict version pinning or integrity checking (e.g., lockfile auditing) allows for easy ingestion of malware.
## Recommendations
- **Restrict Scripts:** Use `--ignore-scripts` when running `npm install` in untrusted or highly sensitive environments.
- **Environment Hardening:** Use OIDC for cloud authentication in CI/CD to eliminate long-lived secrets.
- **Monitoring:** Implement runtime protection for developer workstations and CI/CD runners to detect unauthorized credential access.
- **Registry Security:** Utilize tools like `npm audit` and socket[.]dev to scan dependencies for suspicious lifecycle scripts.