In late April 2025, a sophisticated supply chain attack targeting SAP-related npm packages sent shockwaves through the developer community. Dubbed "mini Shai-Hulud" by researchers, this campaign exploited trust in popular development tools and CI/CD workflows to steal credentials, tokens, and secrets at scale. For CISOs and security teams, it's a stark reminder that every dependency, every developer workstation, and every automated pipeline is a potential entry point for attackers. Here are 10 essential takeaways from this incident to help you fortify your software supply chain.
1. The Attack at a Glance: A "Mini Shai-Hulud" Campaign
The attack specifically targeted npm packages used in SAP's JavaScript and cloud application development ecosystem. Malicious versions were published on April 29 and later replaced with safe releases. Researchers from SafeDep, Aikido Security, Wiz, and others identified the campaign as an advanced, multi-stage supply chain compromise that aimed to harvest sensitive data from developer environments and CI/CD pipelines. The name "mini Shai-Hulud" references the sandworm from Dune, symbolizing the hidden danger lurking within trusted digital infrastructure.
2. Affected Packages and Timeline of Compromise
Four specific packages were compromised: mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2. These are widely used in SAP's CAP (Cloud Application Programming) model. The malicious versions were uploaded on April 29, 2025, and quickly detected by security researchers. Within hours, the maintainers published clean versions, but the damage could have been extensive if the attack had gone unnoticed longer. The rapid response highlights the importance of continuous monitoring.
3. Stolen Data: Credentials, Tokens, and Cloud Secrets
Once installed, the malware executed at installation time to collect a treasure trove of sensitive information: developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, GCP, and Kubernetes environments. This broad scope meant that a single compromised package could expose an entire organization's cloud infrastructure. The malware was designed to harvest everything in one pass, making it particularly dangerous for enterprises with multi-cloud deployments.
4. Exfiltration via Victims' Own GitHub Repositories
The attackers encrypted the stolen data and exfiltrated it to public GitHub repositories created from the victims' own accounts. This clever technique allowed them to blend in with legitimate activity. Additionally, using stolen GitHub and npm tokens, they added malicious GitHub Actions workflows to accessible repositories and published poisoned package versions. This self-propagating mechanism could have enabled the attack to spread rapidly across the developer ecosystem.
5. Attack Vector: Abuse of npm OIDC Configuration Gaps
For the @cap-js packages, researchers found that the attackers exploited a configuration gap in npm's OpenID Connect (OIDC) trusted publishing setup. This allowed them to publish malicious versions without legitimate credentials. In the case of the mbt package, a static npm token was likely compromised. These vectors underscore the need for robust access controls and careful configuration of trusted publishing mechanisms. Attackers are increasingly focusing on identity and permission gaps.
6. Persistence Through Developer Tools: VS Code and Claude Code
The malware attempted to persist by modifying configuration files for Visual Studio Code and Claude Code, an AI-assisted coding tool. This technique targets developer workstations directly, signaling a shift in supply chain threats toward endpoint compromise. By embedding malicious configuration, attackers could maintain access even after the initial package was removed. It also brings AI-assisted development tools into the security risk equation, a relatively new concern for CISOs.
7. Developer Workstations: The New Master Key
"The fact that the malware was designed to harvest GitHub and npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, GCP, and Kubernetes in a single pass tells you that attackers now treat the developer workstation as a master key," said Sakshi Grover, senior research manager at IDC Asia Pacific Cybersecurity Services. This quote underscores the heightened risk: developers often have extensive permissions to multiple systems, making their machines a high-value target for attackers.
8. Rapid Proliferation: A Tainted Dependency's Reach
For CISOs, this attack demonstrates how quickly a single compromised dependency can cascade through the software supply chain. Within minutes of installation, the malware could push malicious code to other packages, affecting downstream users with little visibility. As Grover notes, a single compromised developer identity in a CI/CD pipeline can give attackers a route into the wider supply chain. This highlights the need for strict dependency vetting and least-privilege policies in CI/CD.
9. The Visibility Gap in Supply Chain Security
Despite the growing threat, many organizations still lack real-time visibility into their supply chain. IDC's Asia Pacific Security Survey 2025 found that 46% of enterprises plan to deploy AI for third-party and supply chain risk analysis within the next one to two years. However, Grover points out that many are still in the planning stage. The mini Shai-Hulud campaign serves as a wake-up call to accelerate these initiatives and operationalize AI-driven defenses against such attacks.
10. Lessons Learned: Strengthening Developer Environment Governance
The attack reveals that developer environments, though central to enterprise software delivery, are not governed with the same rigor as production systems. CISOs must now apply production-level controls to workstations, CI/CD pipelines, and package registries. Recommendations include enforcing multi-factor authentication for all tokens, using short-lived credentials, monitoring OIDC configurations, and scanning for suspicious behavior in developer tools. Continuous education and automated security testing are also crucial to preventing future "mini Shai-Hulud" incidents.
The SAP npm package attack is a powerful example of how supply chain threats are evolving. By understanding these ten critical aspects, your organization can better prepare to defend against similar attacks, ensuring that your developer tools and CI/CD pipelines remain secure, not compromised. Stay vigilant, stay proactive, and treat every dependency as a potential risk.