Feed
CriticalPublished 29 Apr 20264 packages · 4 versions

SAP / @cap-js mini-Shai-Hulud campaign

Summary

Mini-Shai-Hulud-style attack against SAP-related npm packages on 2026-04-29 09:55–12:14 UTC. Preinstall setup.mjs downloads the Bun runtime, runs an obfuscated execution.js that exfils GitHub/npm tokens, AWS/Azure/GCP secrets, Kubernetes tokens, and browser passwords via the GitHub GraphQL API. Includes a Russian-locale guardrail and persistence via .claude/ and .vscode/ poisoning.

wormcredential-theftci-cd-compromiseobfuscationprompt-injection
Detected by
Wiz
Also known as
Mini Shai-Hulud Wave 1 · SAP @cap-js wave
Ecosystems
npm
Packages tracked
4

What happened

Wiz disclosed a Mini-Shai-Hulud-style attack against SAP-related npm packages on April 29, 2026, with the live window running 09:55–12:14 UTC. Affected packages include @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, @cap-js/db-service@2.10.1, and mbt@1.2.48 — all components of SAP's Cloud Application Programming toolchain.

Entry-point is a preinstall hook (setup.mjs) that pulls the Bun runtime to a temporary location, then runs an obfuscated execution.js. The exfiltration channel is unusual: rather than POSTing to a custom domain, the payload uses the GitHub GraphQL API with the stolen GitHub token to write the captured secrets into a new private repo under the victim's own account. From the network perspective the traffic is legitimate GitHub API traffic.

Credential targeting is broad: GitHub and npm tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, and browser saved passwords from Chrome, Safari, Edge, Brave, and Chromium-based variants. A Russian-locale guardrail (skip if LANG=ru_RU) and persistence via .claude/ and .vscode/ hook poisoning round out the toolkit — the editor poisoning means re-running the assistant or restarting the editor re-executes the payload.

This was the first wave of a two-wave Mini-Shai-Hulud sequence. The second wave on April 30 hit lightning (PyPI), intercom-client (npm), and intercom/intercom-php (Packagist) and is tracked separately as multi-2026-04-30-mini-shai-hulud-wave2. The two campaigns reuse the same Bun-based credential stealer; the operator handles were not publicly named.

Affected packages (4)

  • npm@cap-js/db-service
    2.10.1
  • npm@cap-js/postgres
    2.2.2
  • npm@cap-js/sqlite
    2.2.2
  • npmmbt
    1.2.48

Impact

  • GitHub + npm token theft → onward worm propagation
  • AWS, Azure, GCP, Kubernetes secret exfiltration
  • Browser password harvesting (Chrome, Safari, Edge, Brave, Chromium)
  • Editor poisoning: .claude/ and .vscode/ hooks for re-execution

What to do

  1. 1Remove and reinstall affected versions in a clean environment
  2. 2Rotate GitHub, npm, cloud, and Kubernetes credentials reachable from CI
  3. 3Audit GitHub activity for unexpected commits, repos, or workflow runs
  4. 4Search developer workstations for setup.mjs / execution.js
  5. 5Audit .claude/ and .vscode/ for unexpected hook files

References

npm-2026-04-sap-cap-js