The rapid evolution of supply chain vulnerabilities has reached a critical juncture with the discovery of a highly sophisticated campaign targeting the SAP developer ecosystem through poisoned npm packages. This malicious operation utilizes a refined worm known as Mini Shai-Hulud, which executes silently via a preinstall script before the standard installation process can even complete its initial routines. By the time a developer or an automated continuous integration pipeline realizes a package has been fetched, the malware has already begun sweeping the host environment for sensitive credentials ranging from cloud access keys to private AI coding tool configurations. The attack specifically compromised several official SAP-published components, including the mbt build tool and the cap-js suite for SQLite, Postgres, and general database services. This breach demonstrates a calculated move to infiltrate the SAP Cloud Application Programming model and the Multi-Target Application framework, which are foundational to modern enterprise cloud operations and business technology platforms.
1. Technical Architecture of the Mini Shai-Hulud Malware
Security analysts identified the Mini Shai-Hulud malware as a direct evolution of a previous worm documented in early 2025, suggesting a persistent and focused threat actor. The infection vector relies on a hidden script named setup.mjs that triggers immediately upon the execution of a standard npm install command. Instead of relying on the native Node.js environment, which might be subject to specific monitoring or restrictions, the script downloads a standalone Bun JavaScript runtime to execute its primary payload. This payload is a massive 11.7 MB obfuscated file titled execution.js, which carries out the bulk of the credential theft operations. The reuse of specific markers, such as the Bun v1.3.13 bootstrap and a custom ctf-scramble-v2 cipher, confirms that the attackers are leveraging a refined codebase to maintain stealth. By utilizing a different runtime and heavy obfuscation, the malware successfully evaded traditional signature-based detection systems during its initial rollout across the SAP-centric registry ecosystem.
The complexity of the execution.js payload reveals a high level of preparation, as it is designed to operate without leaving significant traces in standard application logs. The malware establishes a foothold by creating persistent copies of itself within hidden project directories, specifically targeting folders associated with modern coding assistants and version control systems. Because the attack targets packages that sit deep within the dependency trees of many enterprise-grade applications, the potential for lateral movement within corporate networks is exceptionally high. Any developer machine or automated build server that processed the compromised versions—specifically mbt 1.2.48 or cap-js/sqlite 2.2.2—must be considered fully compromised. The shift from general credential harvesting to specific targeting of SAP-related development tools indicates that the threat actors possess deep knowledge of how enterprise cloud applications are built and deployed. This level of specialization allows the worm to bypass generic security defaults that many organizations rely on for basic supply chain protection.
2. Advanced Harvesting Capabilities for Cloud and AI Environments
The core functionality of the Mini Shai-Hulud worm involves five distinct harvesting threads that run in parallel to maximize data collection efficiency. One primary thread focuses exclusively on the npm ecosystem, scanning for npmrc configuration files in user home directories, project roots, and environment variables. The malware does not merely steal these tokens; it actively validates them against the npm registry API to determine if they possess publishing rights. This is a critical step for the worm’s replication strategy, as it seeks to use stolen high-privilege tokens to infect additional packages and propagate further through the software supply chain. Simultaneously, the malware scans for GitHub Actions secrets by reading system memory on Linux hosts, allowing it to extract sensitive information that is typically hidden from standard file system audits. This aggressive approach to memory scraping ensures that even temporary session tokens used in automated workflows are captured before they can expire.
Beyond traditional development secrets, this campaign marks a significant shift by actively targeting the configurations of AI coding tools such as Claude Code and the Cursor IDE. The payload is programmed to check over 130 hardcoded paths for specific settings files and session hooks that might contain proprietary prompts, API keys, or internal codebase metadata. It specifically looks for session start hooks in settings files to ensure that the malicious execution persists across different coding sessions. In addition to AI-specific data, the worm sweeps for broader cloud infrastructure credentials, including AWS IAM keys, Google Cloud Secret Manager files, and Azure Key Vault access details. Kubernetes service account tokens and SSH private keys are also prioritized, providing the attackers with the necessary tools to move from a single compromised developer laptop to an entire cloud production environment. All collected data is encrypted using AES-256-GCM before being exfiltrated to a dead-drop repository on GitHub, often created using the victim’s own stolen account.
3. Systematic Remediation and Proactive Defense Requirements
Addressing a compromise of this magnitude requires a comprehensive overhaul of the local environment and a total reset of all cryptographic identities associated with the affected machine. If any of the compromised SAP packages were installed, the first step involves a complete uninstall followed by a fresh installation using the ignore-scripts flag to prevent any latent malicious scripts from firing. Developers must conduct a manual search for any execution.js files exceeding five megabytes and inspect their project directories for unauthorized format-check.yml workflows or modified settings files in hidden folders. Simply deleting the malicious packages is insufficient, as the worm often leaves behind persistence mechanisms designed to survive a standard cleanup. Every secret stored on or accessible from the host—including npm publish tokens, GitHub personal access tokens, and cloud service account keys—must be revoked and rotated immediately to prevent the attackers from utilizing the stolen data.
In response to the persistent threat of script-based malware in the supply chain, security teams shifted toward more granular control over publishing and installation workflows. Organizations adopted OpenID Connect for trusted publishing, which scopes npm permissions to specific branches and workflows rather than broad user-level tokens. This transition effectively neutralized the worm’s ability to replicate using stolen credentials, as the automated publishing process now requires short-lived, environment-bound identities. Furthermore, the enforcement of script-blocking policies in continuous integration pipelines became a standard requirement for all enterprise development. These measures, combined with the implementation of advanced dependency auditing tools that specifically monitor lifecycle hooks, provided a more robust defense against similar silent execution attacks. The incident served as a stark reminder that reactive package takedowns are inadequate, leading to a broader industry movement toward zero-trust principles within the internal development lifecycle.