What the SAP npm Compromise Actually Looks Like
The “Mini Shai-Hulud” attack, published across simultaneous analyses by Aikido, StepSecurity, Sonatype, and Palo Alto Unit 42 in late April and early May 2026, represents the highest-visibility npm supply chain attack since the XZ Utils backdoor of 2024. The mechanism is precise and technically sophisticated.
On April 29, 2026, between 09:55 and 12:14 UTC, malicious versions of four official SAP packages were published to the npm registry. The compromised releases introduced a new package.json preinstall hook that executes “setup.mjs” — a loader for the Bun JavaScript runtime — which in turn runs “execution.js,” the credential stealer and propagation framework. The malware harvests local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. Data exfiltration uses AES-256-GCM encryption with RSA-4096 public key encapsulation.
The initial attack vector was not a vulnerability in SAP’s systems — it was a compromised developer account. The attacker compromised RoshniNaveenaS’s GitHub account, then modified a GitHub Actions workflow to exchange a GitHub OIDC token for a live npm publish token scoped to @cap-js/sqlite packages. A critical misconfiguration in npm’s trusted publishing configuration trusted any workflow in the cap-js/cds-dbs repository, rather than exclusively the canonical release workflow on the main branch. This is not a theoretical governance gap — it is the specific configuration that allowed 570,000-weekly-download packages to be poisoned within a four-hour window.
The propagation mechanism is what elevates this attack above a simple credential steal. The malware “commits itself into every accessible GitHub repository by injecting a .claude/settings.json file” and “.vscode/tasks.json” for persistence. AI coding agent configuration files — specifically Claude Code’s settings.json — were targeted as persistence vectors, not incidentally, but by design. This marks the first documented case of an npm supply chain attack specifically targeting AI coding agent configurations as a propagation surface. Over 1,100 GitHub repositories displayed the campaign’s signature description “A Mini Shai-Hulud has Appeared,” providing researchers with a rare visible indicator of the blast radius across the global developer ecosystem.
The Three Structural Failures the SAP Attack Exposes
Structural Failure 1: npm’s trusted publishing model creates blast radius disproportionate to access scope
The npm trusted publishing feature was designed to simplify publishing automation — but its implementation grants publish access based on repository-level GitHub Actions authorization rather than workflow-level authorization. The SAP attack exploited this directly: the attacker needed only to compromise a workflow in the target repository (not the main release workflow) to acquire publish tokens for multiple packages. For packages with 570,000 weekly downloads serving as core components of SAP’s Cloud Application Programming Model, the blast radius of a single GitHub OIDC token exchange was global. This is not a flaw that can be remediated by individual developers — it requires npm to implement workflow-level publish authorization rather than repository-level authorization.
Structural Failure 2: AI toolchain configurations are now a persistence and propagation target, not just a convenience
The Mini Shai-Hulud attack’s targeting of .claude/settings.json and .vscode/tasks.json represents a structural shift in supply chain attack scope. AI coding agents have been adopted rapidly by enterprise development teams — Claude Code, GitHub Copilot, and Cursor are now embedded in the development workflows of millions of engineers globally. Attackers have recognized that these configuration files persist across projects, are frequently committed to shared repositories, and provide persistent execution hooks that survive code changes. A poisoned AI coding agent configuration file is not a one-time exploit — it is a repeating execution vector that activates every time the development environment is initialized. Security teams that have not added AI coding agent configuration files to their supply chain security scope are operating with a visibility gap that attackers have already started to fill.
Structural Failure 3: Software supply chain attack volume is growing faster than organizational detection capacity
Cybersecurity Ventures data cited by neuraltrust.ai indicates a 40% increase in supply chain breaches since 2023. The World Economic Forum’s 2024 Global Cybersecurity Outlook found that over 50% of large organizations identify supply chain vulnerabilities as their top cyber resilience barrier — yet most enterprise security frameworks still treat supply chain risk as a procurement and vendor management issue rather than a development pipeline security issue. The TeamPCP actor was responsible for previous Shai-Hulud campaigns compromising over 700 npm packages in late 2025, linked by shared RSA public keys and overlapping encoding routines. Repeat actors operating known TTPs against the same ecosystem for extended periods without triggering automated detection is the operational definition of a detection capacity gap.
Advertisement
What Engineering Leaders Should Do About It
1. Audit npm Trusted Publishing Configurations for Workflow-Level Scope Restrictions
The immediate remediation for the SAP attack class is a configuration audit of npm trusted publishing settings across all packages your organization publishes. The specific question to answer: does your trusted publishing configuration restrict publish authorization to a specific named workflow file and branch (e.g., .github/workflows/release.yml on main), or does it grant publish authorization to any workflow in the repository? The latter is the configuration that TeamPCP exploited. For packages used in production CI/CD pipelines — particularly those with external consumers — workflow-level restriction is the minimum acceptable configuration. Additionally, enable npm package provenance — currently available via npm’s SIGSTORE integration — which allows downstream consumers to verify that a package was built from a specific commit in a specific repository workflow.
2. Add AI Coding Agent Configuration Files to Your Supply Chain Security Monitoring Scope
The .claude/settings.json, .vscode/tasks.json, and equivalent AI coding agent configuration files in your organization’s repositories must be added to your security monitoring scope immediately. These files should be treated with the same scrutiny as shell profile files (.bashrc, .zshrc) and Git hooks — all three are execution surfaces that activate during normal developer workflow without requiring explicit user action. Implement branch protection rules that require code review for any commit modifying AI coding agent configuration files. In CI/CD pipelines, add a step that hashes and verifies AI configuration files against a known-good baseline before allowing pipeline execution. The Mini Shai-Hulud attack demonstrated that these files are now a live attack surface — the security posture for them should match their risk profile.
3. Implement Runtime Secret Scanning in CI/CD Pipelines as a Blocking Check
The Mini Shai-Hulud malware exfiltrated secrets encrypted to a public RSA key and transmitted to GitHub repositories — a data channel that most security monitoring tools would not flag as suspicious since it uses legitimate GitHub API endpoints. Runtime secret scanning in CI/CD pipelines should detect and block environment variables containing patterns consistent with cloud provider tokens (AWS_SECRET_ACCESS_KEY, GOOGLE_APPLICATION_CREDENTIALS patterns, Azure client secrets) from being passed into package installation contexts (npm preinstall, postinstall scripts). Tools such as Trufflehog, GitGuardian, or GitHub’s built-in secret scanning can be configured as blocking gates in the CI pipeline before any external package installation step. The investment: one pipeline configuration change that would have blocked the Mini Shai-Hulud credential exfiltration before a single secret reached the attacker’s repository.
4. Freeze Dependency Versions and Run Dependency Integrity Checks Before Every Build
The SAP attack was published to malicious package versions that differed from the last known-good versions by a preinstall script addition. An engineering team with dependency version pinning and integrity verification enabled would have received an error when the package hash changed. Specifically: pin all direct and transitive npm dependencies using package-lock.json (npm) or yarn.lock (yarn) files with version locking on all levels; run npm audit or equivalent before every CI build; and configure dependency review in GitHub Actions (using actions/dependency-review-action) to alert on new dependencies or version changes that have not been reviewed. None of these controls prevents zero-day supply chain attacks — but they convert the attack from “silent backdoor inserted across 570,000 installations” to “detectable hash mismatch at build time.”
5. Rotate All Secrets Accessible During the Affected Build Period Immediately
For organizations that used the affected SAP packages between April 29 09:55 UTC and the publication of remediated versions, the correct response is immediate secret rotation — not assessment of “whether” the malware ran. The Mini Shai-Hulud malware ran as a preinstall script, which executes automatically during npm install without any user interaction. If the compromised packages were present in your npm install context during the attack window, assume compromise: rotate all GitHub tokens, npm tokens, GitHub Actions secrets, AWS IAM keys, Azure service principal credentials, and GCP service account keys that were accessible in the build environment. Document the rotation in your incident log. Contact your cloud providers’ abuse teams to check for any activity from the affected credentials during the window.
Where This Fits in 2026’s Developer Security Landscape
The Mini Shai-Hulud attack is not an anomaly — it is a milestone. Supply chain attacks targeting the developer toolchain have accelerated from theoretical concern (2021 SolarWinds, 2024 XZ Utils) to weekly operational reality. The Google Gemini CLI remote code execution vulnerability discovered in the same week as the SAP attack — a flaw allowing RCE within CI/CD environments — confirms that AI-integrated development toolchains are now a primary attack surface, not an emerging one.
The structural issue is speed asymmetry: a single compromised developer account can poison a package receiving 570,000 weekly downloads within four hours; the enterprise security response cycle — detection, analysis, remediation, rotation — runs in days to weeks. Closing this gap requires moving security left into the development workflow (SAST in IDEs, dependency pinning at the developer level) rather than relying exclusively on post-build detection. Engineering leaders who have not yet embedded supply chain security into their development pipeline should treat the first half of 2026 as the forcing function that makes deferral no longer acceptable.
Frequently Asked Questions
Which specific SAP packages were compromised in the Mini Shai-Hulud attack?
The four compromised packages were: [email protected], @cap-js/[email protected], @cap-js/[email protected], and @cap-js/[email protected]. These are core components of SAP’s Cloud Application Programming Model (CAP) used by enterprise development teams building cloud applications on SAP’s Business Technology Platform. Patched versions superseding these compromised releases were published within hours; developers should run npm audit and update to the latest patched versions immediately.
Why does the attack target AI coding agent configuration files specifically?
AI coding agent configuration files — .claude/settings.json (Claude Code), .vscode/tasks.json — provide persistent execution hooks that activate automatically when the development environment is initialized. Unlike a one-time exploit that requires re-execution, a poisoned configuration file executes every time a developer opens their project. These files are also frequently committed to shared repositories, making them effective propagation vectors across team members. The attack represents a calculated expansion of supply chain attack scope to include the AI coding infrastructure layer.
How can I verify whether my organization was affected by the Mini Shai-Hulud attack?
Search your GitHub organization’s repositories for any file with the description “A Mini Shai-Hulud has Appeared” — this was the exfiltration repository signature. Audit your CI/CD build logs for any execution of the affected package versions during the April 29 UTC window. Check for unexpected new GitHub repositories or commits in your organization’s namespace. If any affected package version was present in a build environment, treat credentials as compromised and rotate immediately without waiting for forensic confirmation.
Sources & Further Reading
- SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack — The Hacker News
- Ongoing Supply Chain Attacks Worm into SAP npm Packages — The Register
- SAP npm Package Attack Highlights Risks in Developer Tools and CI/CD Pipelines — CSO Online
- AI-Driven Supply Chain Attacks — NeuralTrust
- Supply Chain Attacks, AI Security and Major Breaches Define This Week — eSecurity Planet
🔗 Related Intelligence
AI-Powered Threat Evolution: How Attackers Weaponize Artificial Intelligence in 2026
IBM X-Force 2026: AI-Driven Attacks and Credential Theft Reshape the Threat Landscape
Agentic AI as the New Attack Surface: Securing Autonomous Agents in the Enterprise
MCP Tool Poisoning: The New Attack Vector Hiding Inside AI Agent Workflows
