SAP npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack — Browser Passwords Now Targeted
Official SAP npm packages were backdoored on April 29 in the latest Mini Shai-Hulud wave — adding browser credential theft across Chrome, Safari, and Edge to the campaign's existing cloud secret harvesting. Over 1,100 victim repositories confirmed.
Official SAP npm packages were compromised on April 29 in the latest wave of the Mini Shai-Hulud supply chain campaign — credential-stealing malware now targeting browser-stored passwords and cloud secrets from AWS, Azure, GCP, and Kubernetes, with over 1,100 victim repositories confirmed.
WALLDORF, GERMANY / SAN FRANCISCO — Multiple official SAP npm packages were poisoned on April 29, 2026, between 09:55 and 12:14 UTC in what researchers at Wiz, Aikido Security, and The Hacker News confirmed as the latest wave of the Mini Shai-Hulud supply chain campaign — the same TeamPCP-linked operation that previously compromised PyTorch Lightning, LiteLLM, Telnyx, and Checkmarx. The SAP attack introduced a preinstall hook in package.json that executes a loader for the Bun JavaScript runtime, which then runs an encrypted credential harvesting and propagation framework. The malware targets local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. A new capability not present in prior Mini Shai-Hulud operations: browser credential theft across Chrome, Safari, Edge, Brave, and Chromium. Over 1,100 victim GitHub repositories had been created with the Mini Shai-Hulud signature description by the time of disclosure.
Attack Profile
The Expanding Mini Shai-Hulud Campaign Timeline
TeamPCP has been systematically targeting developer tooling infrastructure since at least March 2026. The campaign began with the Aqua Security Trivy vulnerability scanner (March 19), then LiteLLM (March 24), the Telnyx Python SDK (March 27), Checkmarx KICS and VS Code extensions, and Bitwarden CLI. In April, the group added PyTorch Lightning (April 30) and now SAP npm packages (April 29). Each wave introduces new capabilities: the Telnyx compromise used WAV audio file steganography; the SAP wave adds browser credential theft across five major browsers. The shared RSA public key, Russian locale check, and GitHub repository exfiltration signature with the "Mini Shai-Hulud" description confirm these are all connected operations from the same threat actor. For prior coverage of the PyTorch Lightning wave, see our full analysis here. All supply chain attack coverage is tracked on The CyberSignal.
Why SAP npm Packages Matter
SAP's developer ecosystem is deeply embedded in enterprise environments — SAP software underpins ERP, finance, and supply chain operations at thousands of large corporations globally. Developers building on SAP platforms routinely install npm packages as part of CI/CD pipelines that have privileged access to production systems. A compromised SAP developer machine or CI/CD environment may hold credentials that grant access to systems far more sensitive than a typical developer workstation — SAP production databases, financial processing infrastructure, and enterprise resource planning systems. The choice of SAP as a target in this wave reflects a deliberate escalation in the potential blast radius of the Mini Shai-Hulud campaign.
What to do now
Any developer or CI/CD pipeline that installed SAP npm packages on April 29, 2026 between 09:55 and 12:14 UTC should treat the environment as fully compromised. Immediately rotate all credentials that may have been exposed: GitHub tokens, npm tokens, AWS/Azure/GCP access keys, Kubernetes secrets, and any browser-stored passwords on affected machines. Audit GitHub repositories for unexpected commits with the "Mini Shai-Hulud" description. Review CI/CD pipeline logs for the April 29 window. Check GitHub Actions secrets for any unauthorized access. Report indicators of compromise to Wiz and Aikido Security at their respective disclosure channels.
The CyberSignal Analysis
Signal 01 — Official Package Channels Are Now a Proven Attack Surface
Every wave of the Mini Shai-Hulud campaign has compromised official package distribution channels — not fake packages, not typosquats, not look-alike domains. The malicious SAP packages were published to official SAP npm namespaces via compromised maintainer credentials. This is the fundamental threat model shift: the supply chain attack has moved from peripheral packages to the official distribution infrastructure of enterprise software vendors. Developers who verify package integrity by checking that packages come from official namespaces are getting false assurance.
Signal 02 — Browser Credential Theft Exponentially Expands the Blast Radius
Prior Mini Shai-Hulud waves targeted developer-specific credentials — GitHub tokens, npm tokens, cloud API keys. The addition of browser credential theft in the SAP wave dramatically expands what's at risk. Browser-stored passwords on a developer machine may include corporate SSO credentials, banking access, email accounts, and any other site where the developer has saved passwords in Chrome, Safari, or Edge. A single compromised developer machine now potentially yields full corporate identity access, not just code repository access.
Signal 03 — TeamPCP Is Systematically Mapping the Developer Trust Graph
The Mini Shai-Hulud campaign is not random. Trivy is a security scanner embedded in CI/CD pipelines. LiteLLM is an AI gateway with OpenAI and Anthropic API credentials. Checkmarx is a code security tool. Bitwarden is a password manager. SAP packages touch enterprise production systems. Each target was chosen because it sits at a privileged node in the developer trust graph — tools that are installed automatically, run with elevated permissions, and trusted implicitly. TeamPCP is mapping and exploiting that trust graph systematically, one high-value node at a time.
