Security researchers have identified a supply chain attack involving four SAP NPM packages, injecting them with harmful code. This incident has been dubbed Mini Shai-Hulud, focusing on SAP’s Cloud Application Programming (CAP) ecosystem and associated cloud deployment workflows.
Details of the Supply Chain Attack
On April 29, four versions of SAP-related packages were marked as malicious: npm mbt 1.2.48, npm @cap-js/db-service 2.10.1, npm @cap-js/postgres 2.2.2, and npm @cap-js/sqlite 2.2.2. These packages, with over 500,000 weekly downloads, are crucial for SAP’s Multi-Target Application archives and CAP software database services.
The malicious code in these packages included a preinstall script functioning as a runtime bootstrapper. Once executed, this script downloaded a Bun ZIP from a GitHub repository, extracted it, and ran the Bun binary, compromising the system with an information-stealing malware.
Impact and Response
According to Onapsis, the malicious versions were available for a brief period of 2-4 hours before being removed and replaced with clean versions. The malware targets sensitive local credentials, cloud secrets, and tokens from platforms like GitHub, AWS, and Azure, and uses public GitHub repositories for data exfiltration.
A propagation mechanism further enhanced the threat’s impact, as noted by Aikido. It involved modifying package tarballs and using stolen GitHub Actions tokens to distribute the malicious payload.
Attribution and Recommendations
Cybersecurity firm Wiz has linked the attack to the TeamPCP hacking group, known for previous supply chain assaults. The connection is based on a shared RSA public key used to encrypt exfiltrated data, suggesting the same private key controls the decryption.
Organizations utilizing SAP Business Technology Platform workflows, SAP CAP, or MTA-based deployment pipelines should verify if they installed the compromised package versions during the exposure. Loose version ranges and transitive dependencies increase the risk for JavaScript developers integrating SAP packages.
The Mini Shai-Hulud attack underscores a significant threat to developers and businesses relying on SAP CAP for their applications. Vigilance and proactive security checks are advised to mitigate such attacks in the future.
