Skip to content
.ca
sign in
4 minhigh

'Mini Shai-Hulud' supply chain attack targets SAP npm packages

The 'mini Shai-Hulud' campaign is a software supply chain attack involving compromised npm packages associated with SAP's Cloud Application Programming Model (CAP). The malicious packages execute upon installation or runtime to harvest sensitive credentials, encrypt the stolen data, and exfiltrate it via public GitHub repositories. Package maintainers have released patched versions to mitigate the threat.

Sens:ImmediateConf:highAnalyzed:2026-04-30reports

Authors: Sophos Counter Threat Unit Research Team

Actorsmini Shai-Hulud
Credential Theftmini Shai-HuludnpmSupply ChainSAP CAP

Source:Sophos

Detection / Hunter

What Happened

A cyberattack called 'mini Shai-Hulud' has compromised specific software building blocks (npm packages) used by developers working with SAP systems. Developers who downloaded these compromised building blocks may have had their sensitive passwords and access keys stolen and sent to the attackers. This matters because stolen credentials can allow attackers to access corporate systems and data. Organizations using these SAP tools should check for compromised versions, update to the latest safe versions, and change any passwords that might have been exposed.

Key Takeaways

  • A supply chain attack dubbed 'mini Shai-Hulud' targeted npm packages used in SAP's Cloud Application Programming Model (CAP).
  • The compromised packages are designed to steal sensitive data, including credentials.
  • Stolen data is encrypted and exfiltrated to public GitHub repositories.
  • Maintainers of the affected packages have released updated, clean versions.
  • Organizations must investigate their environments and rotate any potentially exposed secrets.

Affected Systems

  • SAP Cloud Application Programming Model (CAP)
  • npm package environments
  • Developer workstations and CI/CD pipelines using affected packages

Attack Chain

Attackers compromised npm packages used in SAP's Cloud Application Programming Model (CAP). When developers install or run these packages, malicious JavaScript executes to harvest sensitive data and credentials from the local environment. The stolen data is subsequently encrypted to evade basic inspection. Finally, the encrypted data is exfiltrated to attacker-controlled public GitHub repositories acting as a dead drop.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article, though Sophos AV signatures are mentioned.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can monitor Node.js processes for anomalous file access or child process creation, but may lack visibility into the specific JavaScript execution flow within the Node environment. Network Visibility: Medium — Network monitoring can detect outbound connections to GitHub, but the traffic will be HTTPS encrypted, making payload inspection difficult. Detection Difficulty: Moderate — Distinguishing malicious exfiltration to GitHub from legitimate developer activity (like pushing code) is challenging without deep packet inspection or specific endpoint behavioral context.

Required Log Sources

  • Process Creation Logs
  • Network Flow Logs
  • DNS Logs
  • npm audit logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Node.js or npm processes are making unexpected outbound network connections to public GitHub repositories that are not part of standard development workflows.Network Flow Logs, DNS Logs, Process Network EventsExfiltrationHigh
Node.js processes are accessing sensitive credential files or environment variables unexpectedly during package installation.File Access Logs, Process Command LinesCredential AccessMedium

Control Gaps

  • Lack of egress filtering on developer workstations
  • Implicit trust in public npm registries without internal scanning

Key Behavioral Indicators

  • Node.js processes initiating connections to github.com or raw.githubusercontent.com outside of git executables
  • Anomalous encryption activity or high-entropy data generation within npm package execution contexts

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Identify and remove compromised SAP CAP npm packages from all environments.
  • Update to the latest clean versions of the affected packages as released by the maintainers.
  • Rotate all secrets, API keys, and credentials that may have been accessible in the affected development environments.

Infrastructure Hardening

  • Implement egress filtering for development environments to restrict outbound connections to approved domains only.
  • Use a private npm registry or proxy to cache, scan, and approve packages before they reach developers.

User Protection

  • Deploy EDR solutions on developer workstations to monitor Node.js and npm process behavior.

Security Awareness

  • Train developers on the risks of supply chain attacks and the importance of verifying package integrity before installation.

MITRE ATT&CK Mapping

  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  • T1552 - Unsecured Credentials
  • T1567.001 - Exfiltration Over Web Service: Exfiltration to Code Repository
  • T1560 - Archive Collected Data

Additional IOCs

  • Other:
    • JS/Agent-BMAH - Sophos antivirus detection signature for the malicious npm package component.
    • JS/Steal-EAT - Sophos antivirus detection signature for the credential stealing component.

Related