Adversaries have once again targeted the npm supply chain, though this incursion pursued a surgical and perilous objective: packages integral to developers within the SAP ecosystem. The malicious campaign, designated “Mini Shai-Hulud,” appears modest in its breadth of affected components, yet it possesses the latent capacity to exfiltrate tokens, cloud secrets, and proprietary corporate environments.
According to a forensic exposition by Aikido, the compromised assets include @cap-js/sqlite (v2.2.2), @cap-js/postgres (v2.2.2), @cap-js/db-service (v2.10.1), and mbt (v1.2.48). A preinstall script was surreptitiously embedded within these packages, which autonomously triggered the execution of a setup.mjs file upon installation via npm. While the primary codebase maintained the facade of legitimacy, the nefarious logic was sequestered within two novel files: setup.mjs and execution.js.
The initial file orchestrated the retrieval of the Bun 1.3.13 JavaScript runtime from GitHub to facilitate the second stage of the assault. The subsequent file, execution.js, manifested as a substantial, obfuscated module—spanning 11.7 MB—engineered to scavenge credentials from workstations and CI/CD servers. The payload targeted an expansive array of telemetry, including GitHub and npm tokens, environment variables, GitHub Actions secrets, and credentials for AWS, Azure, GCP, and Kubernetes, as well as configurations for Claude, MCP, Signal, Electrum, and various VPNs.
A particularly sophisticated facet of the malware involved its interaction with GitHub Actions. The malicious code featured a Python-based component designed to locate the Runner.Worker process, subsequently reading the runner’s memory to extract masked secrets from internal structures.
Investigators posit that the primary ingress point was likely an npm token exfiltration occurring during a pull request build within the CircleCI pipeline. On April 29, a transient draft PR surfaced in the SAP/cloud-mta-build-tool repository, introducing modifications to the CI configuration. Although the branch was eventually overwritten, CircleCI logs retained vestiges of the Bun downloader, the obfuscated payload, and a test command execution accompanied by masked project secrets, including the pivotal npm and GitHub tokens.
For data exfiltration, the malware utilized public GitHub repositories, assigning them thematic titles derived from the literary epic Dune and an identical description: “A Mini Shai-Hulud has Appeared.” Encrypted findings were archived in JSON format, while distribution was facilitated through commit messages bearing the marker “OhNoWhatsGoingOnWithGitHub,” from which encoded GitHub tokens were derived.
The report’s authors caution that if the affected versions were integrated into a workflow, merely rotating npm tokens is insufficient. One must assume the total compromise of GitHub accounts, cloud services, Kubernetes clusters, CI/CD secrets, and local developer utilities. Organizations are urged to scrutinize lockfiles, package caches, and CI logs for the presence of setup.mjs or execution.js, and to audit workstations for unauthorized Bun 1.3.13 downloads or anomalous directories such as .claude or .vscode.