SAP npm Packages Poisoned in Supply Chain Attack

A new supply chain attack is targeting the SAP developer ecosystem through compromised npm packages. According to recent reports, the campaign employs a malicious worm dubbed "Mini Shai-Hulud," which operates stealthily before any npm install command finishes. The worm exfiltrates credentials from developer machines, cloud platforms, and AI coding tools.

Attack Details

The attack compromised four official SAP-published npm packages: mbt, @cap-js/sqlite, @cap-js/postgres, and others. The malicious worm activates during the installation process, extracting sensitive data such as GitHub tokens, cloud service credentials, and API keys for AI coding assistants.

Implications

This incident highlights the growing threat of supply chain attacks targeting widely used development tools. Developers using these packages are advised to immediately rotate any credentials stored on affected systems and audit their npm package integrity.