New Supply Chain Attack Targets SAP npm Libraries with Stealthy Credential Theft

Overview of the Attack

Cybersecurity researchers have uncovered a sophisticated supply chain campaign that specifically aims at SAP-related packages available through the npm registry. Dubbed Mini Shai-Hulud by its operators, the initiative employs credential-stealing malware to compromise developers who unknowingly integrate these libraries into their projects. The discovery was made by a coalition of security firms—including Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz—which have collectively raised alarms about the growing threat.

The Mechanics of the Mini Shai‑Hulud Campaign

How the Malware Operates

The malicious code embedded in the compromised npm packages is designed to silently harvest credentials from the systems where the packages are installed. Once a developer installs an affected library, the malware can intercept API tokens, database passwords, and other sensitive authentication data. This information is then exfiltrated to command‑and‑control servers operated by the attackers, enabling them to gain unauthorized access to enterprise SAP environments.

Affected npm Packages

While the full list of compromised package names has not been publicly disclosed, researchers confirm that the campaign specifically targeted modules that interact with SAP systems. These packages likely include utilities for SAP integration, authentication helpers, and data connectors. Developers working with SAP landscapes are urged to review their npm dependencies immediately for any suspicious versions.

Response and Mitigation Efforts

Security Researcher Findings

The collective analysis from the seven security firms paints a clear picture of the attack’s sophistication. Aikido Security identified the credential‑stealing payload, while Onapsis and OX Security mapped the campaign’s infrastructure. SafeDep and Socket traced the propagation of the malicious updates, and StepSecurity contributed insights on how the attackers evaded typical npm security checks. Wiz, a cloud security leader, helped validate the wide scale of the compromise by scanning thousands of repositories that depend on SAP‑related packages.

Steps for Developers (see recommendations below)

As a first line of defense, developers should immediately remove any affected packages from their projects and rotate any credentials that may have been exposed. Security teams should also audit their CI/CD pipelines to detect similar intrusion patterns. npm registry staff have been alerted and are working to remove the malicious versions, but due to the nature of supply chain attacks, residual risks may persist.

Recommendations for Protecting Against Supply Chain Attacks

• Use package integrity checks: Always verify the SHA hashes of downloaded packages against known good values.
• Enable dependency scanning tools: Integrate solutions like Socket or Snyk into your development workflow to automatically flag suspicious packages.
• Limit package permissions: Restrict npm packages from accessing system credentials or network resources when not absolutely required.
• Implement least‑privilege access: Ensure that CI/CD pipelines and development machines run with the minimal privileges needed.
• Stay informed: Follow security advisories from npm and from the firms involved in this research.

Conclusion

The Mini Shai‑Hulud campaign underlines the persistent threat of supply chain attacks against even niche development ecosystems. SAP‑related npm packages, while not as widely used as mainstream libraries, are a critical entry point for attackers aiming to breach enterprise backends. Developers and security teams must adopt a proactive stance—auditing dependencies, monitoring for unusual behavior, and collaborating with the security community to neutralize threats quickly. Vigilance today can prevent a credential‑theft crisis tomorrow.