A sophisticated supply chain attack targeting SAP-related npm packages has once again highlighted the critical vulnerabilities present in developer tools and continuous integration/continuous delivery (CI/CD) pipelines. Dubbed “mini Shai-Hulud” by security researchers, the campaign compromised several widely used packages within SAP’s JavaScript and cloud application development ecosystem, raising urgent security concerns for enterprise development teams worldwide.
The Attack: Infiltration Through npm Packages
On April 29, attackers published malicious versions of four npm packages: mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2. These packages are integral to SAP’s Cloud Application Programming (CAP) model and multi-target application development tools. After the breach was detected, legitimate versions replaced the poisoned ones, but not before significant damage occurred.
According to an investigation by security firms including SafeDep, Aikido Security, and Wiz, the malicious code executed during package installation, designed to harvest sensitive information in a single sweep. The malware targeted developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, Google Cloud Platform (GCP), and Kubernetes environments. Stolen data was encrypted and exfiltrated to public GitHub repositories created from the victims’ own accounts. Furthermore, the attackers leveraged stolen GitHub and npm tokens to inject malicious GitHub Actions workflows into accessible repositories and publish additional poisoned package versions.
SafeDep identified the root cause as a misconfiguration in npm’s OpenID Connect (OIDC) trusted publishing setup for the @cap-js packages. For the mbt package, a static npm token is suspected to have been compromised. This demonstrates how even minor configuration gaps in modern authentication mechanisms can lead to catastrophic supply chain breaches.
Persistence and Workstation Targeting
The campaign went beyond simple credential theft. Attackers attempted to persist within compromised environments by manipulating configuration files for Visual Studio Code and Claude Code, an AI-powered coding assistant. This technique places developer workstations and AI-assisted coding tools directly in the crosshairs of supply chain attacks.
By targeting these configuration files, the attackers could re-establish access after initial cleanup or broaden their foothold across other tools used by the developer. The inclusion of AI coding tools represents an evolution in attack vectors, as these platforms often have elevated permissions and access to repositories, making them attractive targets.
Implications for Enterprise Security Teams and CISOs
For chief information security officers (CISOs), the mini Shai-Hulud campaign serves as a stark reminder of how quickly a single tainted dependency can cascade beyond the build process. The attack underscores a pervasive problem: developer environments, while central to enterprise software delivery, are not governed with the same rigor as production systems.
Sakshi Grover, senior research manager for IDC Asia Pacific Cybersecurity Services, emphasized the gravity of the situation: “The fact that the malware was designed to harvest GitHub and npm tokens, GitHub Actions secrets, and cloud credentials from multiple providers in a single pass tells you that attackers now treat the developer workstation as a master key.”
This single compromised identity within a CI/CD pipeline can provide attackers a direct route into the broader software supply chain. Once inside, they can push malicious code into packages that downstream developers install with little visibility into tampering. The lack of transparency remains a major concern, as demonstrated by the 2025 IDC Asia Pacific Security Survey, which found that 46% of enterprises plan to deploy AI for third-party and supply chain risk analysis over the next 12 to 24 months. However, Grover noted that many organizations are still in the planning stage and have yet to operationalize AI-driven defenses against attacks like mini Shai-Hulud.
Cybersecurity analyst Sunil Varkey characterized the campaign as a classic “living off the land” attack, where adversaries exploit legitimate tools and processes already present in the environment to avoid detection. This approach makes it particularly challenging for traditional security controls to identify malicious activity.
Future of Supply Chain Defense: AI and Governance Gaps
The mini Shai-Hulud incident reinforces the need for organizations to implement more comprehensive governance over developer tools and CI/CD pipelines. As attackers increasingly target the software supply chain, enterprises must move beyond planning and deploy practical defenses. The survey data suggests that while AI-driven risk analysis is on the horizon for nearly half of enterprises, immediate actions such as enforcing strict OIDC configurations, rotating static tokens, monitoring GitHub Actions workflows, and auditing developer workstation configurations remain critical.
Furthermore, the attack highlights the growing risk posed by AI-assisted coding tools. These tools, if not properly secured, can become vectors for persistence and lateral movement. Enterprises should treat them with the same security consideration as any other privileged application.
In conclusion, the mini Shai-Hulud supply chain attack serves as a timely warning. Developer environments are no longer just places of creation—they are the front lines of cybersecurity. CISOs must prioritize securing every link in the software supply chain, from package registries to developer workstations, before the next wave of similar campaigns strikes.