A recent supply chain attack, known as “mini Shai Hulud,” has targeted four npm packages associated with SAP by injecting harmful preinstall scripts. These scripts execute silently during the installation of dependencies, aiming to extract credentials from developer environments and CI/CD pipelines, impacting platforms such as GitHub, npm, and major cloud service providers.
Malicious Packages Identified
Security experts from StepSecurity, Aikido Security, SafeDep, Socket, and Wiz have uncovered that malicious versions of legitimate SAP Cloud Application Programming Model (CAP) ecosystem packages, including @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, were released with a dangerous preinstall hook embedded in their package.json files.
Contrary to previous campaigns, this attack utilizes a new evasion strategy by employing the Bun JavaScript runtime instead of Node.js to deploy the payload. This is executed via a script named setup.mjs, which downloads Bun during installation to run a heavily obfuscated 11 MB second-stage payload known as execution.js.
Complex Payload and Credential Exfiltration
Once setup.mjs is activated, it retrieves and launches execution.js, which functions as a comprehensive credential-stealing and self-propagation framework. When deobfuscated, this payload systematically collects:
- GitHub tokens and npm credentials from developer devices
- Cloud provider secrets, including AWS, Azure, and GCP environment variables
- Kubernetes tokens and service account credentials
- GitHub Actions secrets, directly from runner memory
The stolen data is encrypted and sent to attacker-controlled public GitHub repositories, mirroring the exfiltration method of the original Shai-Hulud campaign. The malware further propagates by using any stolen npm tokens to identify and infect other packages under the compromised maintainer’s account, enabling rapid, automated dissemination within the npm ecosystem.
Geofencing and Attribution
The malware includes a geofencing check that examines the system’s date/time locale settings and environment language variables. If the language is set to Russian, the malware self-terminates, ensuring no data is exfiltrated from Russian-speaking systems. This exclusion is a common trait of TeamPCP campaigns.
Researchers have confidently attributed this campaign to TeamPCP, citing overlapping technical signatures with its previous operations targeting packages like Trivy, LiteLLM, and Checkmarx KICS. Key indicators of attribution include:
- The use of the __decodeScrambled cipher for encoding secrets before exfiltration
- Consistent Russian-language early-exit logic
- Shared setup.mjs dropper (SHA256: 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34) across the affected packages
- Recurring abuse patterns: execution during installation, off-host data exfiltration, and self-propagation
Recommendations for Affected Organizations
Organizations utilizing SAP CAP tooling should immediately audit and update CI/CD pipeline dependencies, rotate any exposed secrets, and block the compromised package versions. Security teams should also monitor for unexpected Bun runtime downloads during npm installations, as this is a novel behavior associated with the attack. Responsible disclosures have been made to the maintainers of the affected packages.
Stay informed with our daily cybersecurity updates by following us on Google News, LinkedIn, and X. Contact us to share your stories.
