A new supply chain attack dubbed “mini Shai Hulud” has compromised four SAP-related npm packages by injecting malicious preinstall scripts that silently execute during dependency installation, targeting developer environments and CI/CD pipelines to steal credentials across GitHub, npm, and major cloud providers.
Security researchers at StepSecurity, Aikido Security, SafeDep, Socket, and Wiz identified that malicious versions of legitimate SAP Cloud Application Programming Model (CAP) ecosystem packages — including @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt — were published with a weaponized preinstall hook inside package.json.
Unlike its predecessor campaigns, this attack employs a novel evasion twist: instead of relying on Node.js to run the payload, the dropper script (setup.mjs) downloads the Bun JavaScript runtime at install time and uses it to execute a heavily obfuscated 11 MB second-stage payload (execution.js).
This architectural choice is intentional Bun execution patterns are largely outside the detection scope of most static analysis and Node.js-focused security tooling.
Multi-Stage Payload and Credential Theft
Once setup.mjs is triggered, it fetches and launches execution.js, a full-featured credential stealer and self-propagation framework. When deobfuscated, the second-stage payload systematically harvests:
- GitHub tokens and npm credentials from developer workstations
- Cloud provider secrets — AWS, Azure, and GCP environment variables
- Kubernetes tokens and service account credentials
- GitHub Actions secrets, including runtime secrets extracted directly from the runner memory
Stolen data is encrypted and exfiltrated via attacker-controlled public GitHub repositories, following the same exfiltration pattern established by the original Shai-Hulud campaign.
The malware also contains propagation logic: using any stolen npm tokens, it identifies other packages under the compromised maintainer’s account, injects malicious code, and republishes them, enabling exponential, automated spread across the npm ecosystem without actor intervention.
During initialization, the malware performs a targeted geofencing check — inspecting the system’s date/time locale settings and environment language variables for values beginning with 'ru'.
If the system is configured for the Russian language, the malware immediately self-terminates, ensuring no data is exfiltrated from Russian-speaking environments. This deliberate exclusion is a recurring fingerprint across TeamPCP campaigns.
Researchers attribute this campaign to TeamPCP with high confidence, noting multiple overlapping technical signatures with previously documented TeamPCP operations targeting packages such as Trivy, LiteLLM, and Checkmarx KICS. Key attribution indicators include:
- The same
__decodeScrambledcipher used to encode secrets before posting to exfiltration repositories - Identical Russian-language early-exit logic
- Shared dropper (
setup.mjs— SHA256:4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34) present across all four packages - Consistent infrastructure abuse patterns: install-time execution, off-host exfiltration, and canister-backed self-propagation.
Affected Packages and IOCs
| Package | Version | Tarball SHA256 |
|---|---|---|
@cap-js/postgres | 2.2.2 | 1d9e4ece8e13c8eaf94cb858470d1bd8f81bb58f62583552303774fa1579edee |
@cap-js/db-service | 2.10.1 | 258257560fe2f1c2cc3924eae40718c829085b52ae3436b4e46d2565f6996271 |
@cap-js/sqlite | 2.2.2 | a1da198bb4e883d077a0e13351bf2c3acdea10497152292e873d79d4f7420211 |
mbt | 1.2.48 | 86282ebcd3bebf50f087f2c6b00c62caa667cdcb53558033d85acd39e3d88b41 |
The shared dropper setup.mjs (SHA1: 307d0fa7407d40e67d14e9d5a4c61ac5b4f20431) is present in all four packages.
The execution.js payload for @cap-js/postgres and @cap-js/db-service is identical (SHA256: eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb).
Organizations using SAP CAP tooling should immediately audit CI/CD pipeline dependencies, rotate any secrets present in affected environments, and block the specific compromised versions listed above.
Defenders should also monitor for unexpected Bun runtime downloads during npm install operations, as this behavior is a novel indicator specific to this campaign. Responsible disclosure has been made to the maintainers of all affected packages.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
