Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware
April 30, 2026, 7:47 a.m.
Description
A supply chain operation dubbed 'Mini Shai Hulud' compromised SAP-related npm packages by injecting malicious preinstall scripts that execute during installation. The campaign leverages multi-stage payloads to harvest developer and CI/CD secrets from GitHub, npm, and major cloud providers, exfiltrating data via attacker-controlled GitHub repositories. Malicious versions of legitimate SAP ecosystem packages execute obfuscated payloads that collect GitHub tokens, npm credentials, cloud secrets from AWS, Azure and GCP, Kubernetes tokens, and GitHub Actions secrets. The malware includes propagation logic to infect additional repositories and features browser credential theft capabilities. It performs language checks to avoid Russian-speaking systems. Attribution points to TeamPCP based on shared RSA public keys and overlapping techniques from previous operations.
Tags
Date
- Created: April 30, 2026, 12:12 a.m.
- Published: April 30, 2026, 12:12 a.m.
- Modified: April 30, 2026, 7:47 a.m.
Indicators
- 258257560fe2f1c2cc3924eae40718c829085b52ae3436b4e46d2565f6996271
- a1da198bb4e883d077a0e13351bf2c3acdea10497152292e873d79d4f7420211
- 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34
- 1d9e4ece8e13c8eaf94cb858470d1bd8f81bb58f62583552303774fa1579edee
- eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb
- 86282ebcd3bebf50f087f2c6b00c62caa667cdcb53558033d85acd39e3d88b41
- 14eb4ce01dd4307759887ff819359b70d7d9ff709ecde039a5abc1aac325b128
- 80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac
- 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95
- 927387d0cfac1118df4b383decc2ea6ba49c9d2f98b47098bcbcba1efc026e1f
Additional Informations
- Technology