US Edition
Ongoing Supply Chain Attacks Worm Into SAP Npm Packages
Researchers say the malware steals developer secrets, self-propagates and uploads encrypted data to victims’ GitHub accounts, with SAP packages seeing about 572,000 weekly downloads.
- Security researchers discovered that multiple official SAP packages on NPM were compromised by "Mini Shai-Hulud" malware, which attackers used to steal sensitive credentials and authentication tokens from enterprise development systems.
- According to reports by Aikido and Socket, the malicious packages include a "Preinstall" script that downloads the Bun JavaScript runtime to execute an obfuscated payload; researchers link the attack to TeamPCP.
- "The malware searches GitHub commits for this string and uses matching commit messages as a token dead-drop," explains Aikido. The payload also scrapes Runner memory for secrets, bypassing CI log masking.
- Security Engineer Adnan Khan reports an NPM token may have been exposed via a misconfigured CircleCI job, allowing the malware to self-propagate by modifying other repositories with identical malicious code.
- According to Socket, this memory scanner is "structurally identical to the one documented in the Bitwarden and Checkmarx incidents," demonstrating a consistent methodology in recent supply-chain threats.
13 Articles
13 Articles
SAP npm Supply Chain Attack Targets Developer Credentials
A supply chain attack targeting SAP npm packages is putting enterprise development environments at risk. Aikido researchers discovered malicious code designed to steal credentials and secrets from developer systems and CI/CD pipelines. The attack “… harvests local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes,” said Raphael Silva, security researcher at Aikido secur…
The Onapsis Research Labs are currently monitoring a targeted supply chain attack on SAP developers and companies using the SAP Cloud Application Programming Model (CAP). The attack campaign called "Mini Shai-Hulud" inserts malicious code into widespread SAP near JavaScript/npm packages – with the aim of automating cloud access data, service tokens, and private keys. The attack campaign uses compromised packages as an entry point in development …
TeamPCP infiltrates official SAP npm packages. As the Mini Shai Hulud worm cracks CI/CD systems and exfiltrates cloud secrets via GitHub. The security of the software supply chain was again shaken when several official npm packages were reported compromised by SAP. Security researchers from Aikido, Socket and Snyk identified a coordinated campaign known as Mini Shai Hulud. The target of the attack were developers and companies using the SAP Clou…
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
