One Command Stole Their Cloud Secrets

On April 29, 2026, a meticulously orchestrated digital heist targeted SAP’s vast developer community. Attackers successfully poisoned four official SAP CAP (Cloud Application Programming) packages, compromising them for a critical two to four-hour window. This narrow timeframe, specifically between 09:55 UTC and 12:14 UTC, proved sufficient for malicious code to propagate rapidly across the global software supply chain, striking developers at their workstations.

The potential fallout was staggering. These compromised packages, essential for enterprise application development, amassed approximately 570,000 weekly downloads. This meant countless developers, performing routine `npm install` commands, unwittingly invited sophisticated malware onto their systems. The sheer volume underscored the attack's broad reach and the silent, insidious spread of its payload, making detection difficult for many.

A profound shockwave rippled through the tech world. Developers operate on an implicit contract of trust with their package ecosystems, particularly for official, enterprise-grade components from a major vendor. This incident fundamentally shattered that trust, revealing how even core, seemingly secure dependencies could become conduits for advanced cyber espionage. The very foundation of secure software development, built on reliable package managers, suddenly felt vulnerable to a single compromised dependency.

The attack specifically targeted four pivotal packages: - `@cap-js/sqlite@2.2.2` - `@cap-js/postgres@2.2.2` - `@cap-js/db-service@2.10.1` - `mbt@1.2.48`

These foundational elements of the SAP Cloud Application Programming model transformed into digital Trojan horses. Their malicious pre-install scripts were designed to steal a trove of sensitive data, including SAP developer credentials and critical cloud secrets from platforms like AWS, Azure, and GCP. The precision and speed of this operation, leveraging a single `npm install` command, highlighted a new, alarming frontier in software supply chain attacks, where implicit trust became the ultimate vulnerability.

SAP's attack began with a deceptively simple yet potent mechanism: a malicious `pre-install` script embedded within the `package.json` files of four official SAP CAP packages. Developers installing `@cap-js/sqlite@2.2.2`, `@cap-js/postgres@2.2.2`, `@cap-js/db-service@2.10.1`, or `mbt@1.2.48` unwittingly triggered the initial phase of the compromise. This standard npm lifecycle hook executed automatically before the package installation completed, making it an ideal vector for stealthy initial access.

This `pre-install` script, however, was not the final payload. Instead, it served as an efficient downloader. Its primary function involved fetching and executing the Bun JavaScript runtime, a fast alternative to Node.js, directly onto the victim's system. This two-stage approach added a layer of indirection, making initial detection harder and allowing for a more dynamic, external payload.

Once installed, Bun took over, executing a significantly larger, heavily obfuscated payload. This sophisticated malware immediately began its reconnaissance and exfiltration mission, targeting a broad spectrum of sensitive information. It systematically hunted for: - npm tokens - GitHub credentials - AWS, Azure, and GCP secrets - Kubernetes tokens - GitHub Actions secrets - Browser passwords - AI coding agent configurations for persistence

The genius of this attack lay in its elegant simplicity. It required no complex zero-day exploits or obscure vulnerabilities. Attackers merely abused standard, documented npm features, specifically the `pre-install` script, to execute arbitrary code. This commonplace package management functionality transformed into a powerful weapon, bypassing many traditional security measures that focus on known exploits rather than legitimate feature misuse.

Such a low-friction approach underscores the pervasive threat of supply chain attacks. A single `npm install` command, a routine development operation, became the conduit for a sophisticated data theft operation. The "TeamPCP" group demonstrated how easily core development dependencies can turn into Trojan horses, highlighting the critical need for rigorous dependency scrutiny in enterprise environments.

Mini Shai-Hulud, a sophisticated digital worm, earned its ominous name from Frank Herbert's *Dune* series. Like the colossal sandworms of Arrakis, this malware burrowed deep into compromised systems, relentlessly harvesting valuable "spice"—in this case, an extensive array of digital credentials. Its primary objective was to exfiltrate these secrets, signaling successful compromise by creating public GitHub repositories with the description "A Mini Shai-Hulud has Appeared." This unique signature helped researchers track the extent of the attack.

Once executed by the malicious `pre-install` script embedded in the poisoned npm packages, the massive, obfuscated payload sprang into action. Utilizing the `Bun` JavaScript runtime, it systematically scoured the host machine for high-value secrets. This credential harvester aggressively targeted developer and cloud infrastructure access, ensuring maximum impact across the software supply chain by compromising the very tools developers use daily.

The digital worm sought out a comprehensive list of sensitive data, demonstrating a clear understanding of modern development and cloud environments. Its targets included: - npm tokens, critical for package management and publishing - GitHub credentials, encompassing personal access tokens and GitHub Actions secrets, vital for code repositories and CI/CD pipelines - AWS, Azure, and GCP secrets, providing direct access to cloud resources - Kubernetes tokens, enabling control over container orchestration platforms - Local browser passwords, often a treasure trove of additional login information - Configuration files for AI coding agents, aiming for potential persistence and further exploitation.

A particularly sophisticated evasion tactic embedded within Mini Shai-Hulud was its geofencing mechanism. Before attempting any data exfiltration, the malware performed a crucial system check: it scanned the host machine's language settings. If it detected Russian as the primary system language, the payload immediately terminated execution, preventing any compromise or data transfer from Russian-speaking systems. This calculated self-preservation measure prevents attribution and avoids operating in specific geopolitical regions, a common pattern in campaigns attributed to certain advanced threat actors. For further details on the broader incident and SAP's response, refer to the SAP Security Patch Day - April 2026 report.

The exfiltration mechanism for Mini Shai-Hulud defied typical stealth operations, opting instead for a brazen, noisy approach. Attackers created numerous public GitHub repositories, each bearing the distinctive description 'A Mini Shai-Hulud has Appeared'. This unusual tactic served as both a digital breadcrumb and a crude but effective data dump, ensuring rapid egress of stolen information from compromised systems and making it easier to track later. Over 1,800 developers across PyPi, npm, and PHP ecosystems ultimately fell victim to this audacious data extraction method.

Despite the public nature of the data's destination, the harvested secrets remained secure from unintended eyes. Attackers meticulously protected the stolen credentials with AES-256-GCM encryption, rendering the vast trove of data useless to anyone lacking the specific decryption key. This robust encryption safeguarded critical information including npm tokens, GitHub credentials, AWS, Azure, and GCP secrets, Kubernetes tokens, and even browser passwords, ensuring only TeamPCP could access the valuable payload.

Forensic analysis quickly linked the Mini Shai-Hulud campaign to the notorious TeamPCP hacking group. Investigators established attribution through the discovery of shared infrastructure, specifically identical RSA public keys employed across multiple attack vectors. This consistent digital fingerprint connected the SAP incident to previous high-profile compromises, including the Bitwarden CLI attack, solidifying TeamPCP's pattern of targeting developer environments for credential harvesting and supply chain exploitation.

The malware also incorporated a geographic evasion technique, performing a system check for the Russian language. If detected, the payload would terminate its exfiltration process, effectively preventing data theft from Russian-speaking systems. This operational security measure, common among certain threat actors, highlights the specific geopolitical considerations underpinning TeamPCP's campaigns, even as they broadly targeted global enterprise development pipelines and AI coding agent configurations for persistence.

The SAP incident, while a stark warning, represented only one high-profile facet of a far more ambitious and coordinated campaign. Attributed to the prolific hacking group TeamPCP, the "Mini Shai-Hulud" operation cast a wide net, systematically targeting developers across multiple ecosystems. This was not an isolated exploit, but a sophisticated, multi-platform credential harvesting effort designed for maximum impact.

Beyond the compromised SAP Cloud Application Programming (CAP) packages, TeamPCP simultaneously unleashed their digital worm on other critical software supply chains. Notable targets included the popular Lightning Python package on PyPI and the `intercom-client` npm package, demonstrating the group's versatility and broad reach. Their consistent methodology across these platforms involved injecting malicious `pre-install` scripts, which then downloaded and executed a massive, obfuscated payload.

This expansive campaign ultimately impacted over 1,800 developers across PyPI, npm, and PHP ecosystems, far exceeding the immediate scope of the SAP breach. The attackers meticulously designed Mini Shai-Hulud to steal a comprehensive array of sensitive information. This included critical developer assets such as npm tokens, GitHub credentials, AWS, Azure, and GCP secrets, Kubernetes tokens, GitHub Actions secrets, and even browser passwords. The malware also targeted AI coding agent configurations for potential persistence.

Exfiltration tactics remained consistent across all targeted platforms, leveraging the creation of public GitHub repositories. These repositories, identifiable by the distinct description "A Mini Shai-Hulud has Appeared," served as a digital breadcrumb trail for the encrypted, stolen data. While the SAP packages were poisoned for a brief two to four hours, the broader TeamPCP campaign showcased a sustained, multi-vector assault on developer infrastructure, highlighting the growing sophistication of supply chain vulnerabilities beyond a single vendor.

Package manager lifecycle scripts, such as `pre-install` and `post-install`, present a profound security challenge in contemporary software development. These scripts execute automatically during dependency installation, often before developers can inspect the package's underlying code or verify its integrity. The attack on SAP epitomizes this vulnerability: a cunningly crafted `pre-install` script embedded within poisoned `@cap-js` packages served as the initial trigger, unleashing the full "Mini Shai-Hulud" payload. This mechanism bypassed traditional security checks, allowing the malware to gain immediate execution.

Developers operate within an exploited trust model when integrating external packages via tools like npm. They implicitly assume that downloaded dependencies, even those from less scrutinized sources or community contributions, will not harbor malicious intent. This inherent trust extends directly to the automated execution of lifecycle scripts, creating a critical blind spot for security. Attackers leverage this by strategically poisoning widely used or essential dependencies, knowing their malicious code will automatically propagate across countless `npm install` operations without requiring user interaction beyond the initial command.

A core enabler of such attacks is the permissions issue: these lifecycle scripts execute with the exact same privileges as the user initiating the `npm install` command. This grants them extensive, often unrestricted, access to sensitive files on the local machine, environment variables, and network resources. The "Mini Shai-Hulud" malware ruthlessly exploited this power, systematically harvesting a vast array of critical credentials from affected systems. This included: - npm tokens - GitHub credentials - AWS, Azure, and GCP secrets - Kubernetes tokens - GitHub Actions secrets - Browser passwords

This profound level of access transforms a single compromised dependency into a gateway capable of breaching an organization's entire cloud infrastructure and developer ecosystem. The sophisticated attack on SAP, identified as part of a broader campaign by the TeamPCP hacking group, underscores the urgent imperative to fundamentally re-evaluate package security protocols. For a deeper dive into the wider scope and attribution of this campaign, explore the TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MTA npm Packages. Ignoring the inherent risks associated with automated script execution is no longer a viable strategy for any development team.

Suspect a compromise? Act immediately. Mini Shai-Hulud operates with stealth, but leaves digital breadcrumbs that demand a swift, decisive response. Your development environment's integrity—and your organization’s cloud security—depends on it.

First, run npm audit within your project directory. This command identifies known vulnerabilities in your dependencies. Next, execute `npm ls` against specific packages if you used them, checking for compromised versions like `@cap-js/sqlite@2.2.2`, `@cap-js/postgres@2.2.2`, `@cap-js/db-service@2.10.1`, or `mbt@1.2.48`.

Detecting any of these malicious versions, or indeed any suspicious package, demands an immediate, aggressive response. Treat it as a confirmed breach, not merely a potential threat, given the malware’s capabilities.

Your top priority becomes rotate ALL secrets. Mini Shai-Hulud actively harvested a wide array of credentials, making a comprehensive rotation essential to neutralize any stolen access tokens or keys.

This includes critical developer and cloud platform access: - npm tokens - GitHub credentials (personal access tokens, SSH keys) - AWS, Azure, and GCP secrets - Kubernetes tokens - GitHub Actions secrets - Browser passwords - AI coding agent configurations

After neutralizing access, perform a thorough cleanup. Delete your `node_modules` directory and the `package-lock.json` or `yarn.lock` file. Reinstall all dependencies from a known-good source to ensure a clean, uncompromised environment.

Crucially, enable multi-factor authentication (2FA) on every service that supports it. Additionally, implement strict, short expiration policies for all API tokens and access keys, drastically limiting future exposure windows.

Vigilance remains your strongest defense against evolving supply chain attacks. This checklist provides immediate steps, but continuous security practices are paramount.

The Mini Shai-Hulud campaign served as a stark reminder: reactive security measures are no longer sufficient. Organizations must transition from incident response to a proactive, layered defense strategy, embedding security deep within their development and deployment workflows. This long-term commitment to hygiene fortifies the entire software supply chain.

A critical first line of defense involves modifying how build pipelines consume dependencies. Adopt `npm ci --ignore-scripts` as a default command within your CI/CD pipelines. This robust flag prevents the execution of arbitrary lifecycle scripts, including malicious `pre-install` or `post-install` hooks, effectively neutralizing the primary vector of the Mini Shai-Hulud attack. `npm ci` also ensures clean, repeatable builds.

Beyond disabling script execution, strict dependency management is paramount. Pin exact dependency versions using a `package-lock.json` or `yarn.lock` file and commit it to version control. This practice, known as dependency locking, guarantees that your builds consistently use verified package versions, preventing silent, malicious updates from entering your codebase.

Continuous monitoring for suspicious activity across your package ecosystem is equally vital. Implement automated tools to scan for unexpected changes in package maintainers, sudden version bumps, or unusual network requests during builds. Given the SAP compromise window was only 2-4 hours, rapid detection capabilities are non-negotiable for mitigating similar swift attacks.

Finally, enhance the security of your package publishing process itself. Embrace OIDC Trusted Publisher for securely publishing packages to registries like npm. This modern approach eliminates the need for long-lived, static authentication tokens, replacing them with short-lived, ephemeral credentials tied to your CI/CD environment. It directly mitigates the risk of credential theft, a core objective of the Mini Shai-Hulud malware.

These practices collectively build a resilient barrier against sophisticated supply chain threats. As attacks like Mini Shai-Hulud, which impacted over 1,800 developers across multiple ecosystems, continue to escalate in frequency and cunning, embedding robust security hygiene into every stage of the development lifecycle is no longer optional; it is foundational.

The Mini Shai-Hulud campaign targeting SAP represents just one facet of a rapidly evolving threat landscape. Supply chain attacks have escalated dramatically, moving beyond simple package compromises to sophisticated, state-sponsored operations. These incidents highlight how trust in the software ecosystem can be weaponized, turning foundational development tools into vectors for espionage, intellectual property theft, or critical infrastructure disruption.

North Korean state actors, widely recognized as the Lazarus Group, recently demonstrated this escalating danger by compromising Axios. Attackers gained unauthorized access to a software maintainer’s account, then injected malicious code into a legitimate npm package. This allowed for the stealthy deployment of a sophisticated Remote Access Trojan (RAT), enabling persistent surveillance, data exfiltration, and control over infected systems for extended periods.

Such breaches underscore a pervasive vulnerability: a single compromised credential or developer account can trigger a cascading supply chain event. From the SolarWinds compromise, impacting U.S. government agencies, to the recent XZ Utils backdoor that nearly infiltrated critical Linux systems, adversaries consistently target the weakest links. Organizations must recognize the systemic, interconnected nature of these threats, extending beyond their immediate perimeters.

Crucially, the Mini Shai-Hulud campaign introduced an alarming new vector: the direct targeting of AI coding agent configurations. Attackers specifically sought out settings for popular large language model tools like Claude Code, aiming to embed persistent malicious instructions or subtly alter their operational parameters. This novel approach not only ensures long-term stealth but also dramatically expands the potential for automated propagation across development environments.

By poisoning an AI agent's environment, attackers gain unprecedented control. They could manipulate auto-generated code suggestions, subtly introduce backdoors into new projects, or even automate the harvesting of sensitive credentials directly within developer workflows. Imagine an AI assistant, trusted by developers, unknowingly injecting malicious dependencies or altering security configurations, all without direct human intervention or suspicion.

This convergence of state-sponsored espionage, highly sophisticated malware, and the emerging threat of AI agent manipulation demands immediate and proactive defense strategies. The industry faces an imperative to secure every layer of the software supply chain, from initial code commits to final deployment. Understanding these evolving, multi-faceted tactics is paramount for safeguarding digital infrastructure against future, more complex, attacks. For a deeper dive into the specifics of the SAP incident, read Emerging Supply Chain Attack ("Mini Shai-Hulud") Targeting SAP Cloud Application Programming Ecosystem.

Mini Shai-Hulud's attack on SAP, compromising developer credentials and cloud secrets for over 1,800 developers across PyPi, npm, and PHP ecosystems, serves as a chilling reminder. Software supply chain attacks are not just increasing; they are growing in sophistication and impact. Attackers like TeamPCP exploit brief windows, as short as two to four hours, deploying Bun-powered payloads to harvest an alarming array of sensitive data. This includes npm tokens, GitHub credentials, AWS, Azure, and GCP secrets, alongside Kubernetes and GitHub Actions secrets, and even browser passwords. The clever exfiltration via public GitHub repositories with the description "A Mini Shai-Hulud has Appeared" exemplifies this ingenuity.

Winning this escalating supply chain war demands a collective defense. Security is not a siloed responsibility; it involves every stakeholder from individual developers to major platform providers. Package maintainers must fortify their projects with multi-factor authentication, secure development practices, and rigorous dependency scanning. Their vigilance against account compromise directly protects thousands. Platform providers, including npm and GitHub, must continuously enhance ecosystem security, offering advanced integrity checks, robust vulnerability scanning, and swift incident response mechanisms. Their ability to detect and supersede poisoned packages, as npm did for SAP within hours, is foundational to fostering trust.

Developers, the ultimate consumers of these open-source building blocks, must adopt a profoundly skeptical mindset. Blindly executing `npm install` is a relic of a less hostile era. Embrace a security-first approach to dependencies by: - Pinning exact dependency versions. - Running `npm audit` and `npm ls` religiously. - Understanding and scrutinizing package lifecycle scripts (`pre-install`, `post-install`). - Enabling `--ignore-scripts` in CI/CD environments where appropriate. - Proactively monitoring dependency changes before integration.

Contribute to a safer ecosystem by reporting anomalies, participating in open-source security initiatives, and championing stronger default security postures across your organizations. The integrity of our digital infrastructure depends on this shared, unwavering commitment to a more secure future.

What was the 'Mini Shai-Hulud' npm attack?

It was a supply chain attack on April 29, 2026, where malicious code was injected into four official SAP CAP npm packages. This code, executed via a pre-install script, was designed to steal developer credentials and cloud secrets from AWS, Azure, GCP, and GitHub.

How can I check if I was affected by this specific attack?

Run `npm audit` and `npm ls @cap-js/sqlite @cap-js/postgres @cap-js/db-service mbt` to check for the compromised versions. Also, search your machine and GitHub account for repositories or files named 'Mini Shai-Hulud,' which was the exfiltration signature.

What is the most effective way to prevent such npm attacks?

A multi-layered approach is best. Use `npm install --ignore-scripts` or `npm ci --ignore-scripts` in CI/CD, pin exact dependency versions, regularly audit your dependencies, and enforce security policies like two-factor authentication (2FA) and short-lived tokens for all developer services.

Why are pre-install scripts so dangerous?

Pre-install scripts are dangerous because they execute automatically with the full permissions of the user running `npm install`. This allows attackers to run arbitrary code on a developer's machine before the package's actual code is even used, making them an ideal vector for malware.