On April 29, 2026, four packages from SAP's Cloud Application Programming Model (CAP) toolchain were poisoned in a coordinated supply-chain operation attributed to TeamPCP. The compromised packages, @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt (the Cloud MTA Build Tool), carry roughly 570,000 combined weekly downloads and sit deep inside enterprise SAP CI/CD pipelines. Active exfiltration has been confirmed, with over 1,100 victim repositories already visible on GitHub.

What Happened

Between 09:55 UTC and 12:14 UTC on April 29, 2026, malicious versions of the four CAP toolchain packages were published to the npm registry. Each poisoned package introduced a preinstall hook in package.json that executed setup.mjs, a loader for the Bun JavaScript runtime. Bun was then used to run execution.js, an 11 MB heavily obfuscated second-stage payload responsible for credential theft and self-propagation.

The choice of Bun is a deliberate evasion technique. By bypassing Node.js module resolution entirely, the dropper sidesteps standard dependency-graph analysis and leaves no trace in the typical Node tooling that defenders rely on for software composition analysis.

What Was Taken

The multi-stage payload harvests a wide spectrum of developer and CI/CD credentials, including:

• GitHub personal access tokens and GitHub Actions secrets
• npm publishing credentials
• Cloud provider secrets across AWS, Azure, and GCP
• Kubernetes service account tokens
• Browser-stored passwords from Chrome, Safari, Edge, Brave, and Chromium

The browser credential theft capability is new to this variant and was not present in any prior Shai-Hulud operation, expanding the blast radius from CI infrastructure into individual developer workstations.

Stolen data is encrypted with AES-256-GCM and exfiltrated to public GitHub repositories created on the victim's own account, each tagged with the description "A Mini Shai-Hulud has Appeared." More than 1,100 such repositories are currently visible on GitHub, providing a public counter of confirmed compromises.

Why It Matters

SAP's CAP toolchain is the connective tissue of countless enterprise SAP cloud deployments. Compromise at this layer reaches directly into production cloud infrastructure, build pipelines, and the credentials that govern them. The campaign weaponizes trust at every stage: trusted publishers, trusted runtimes, and trusted developer tools like VS Code.

The persistence mechanism deserves particular attention. For victims running inside GitHub Actions, the malware uses stolen tokens to commit a malicious .vscode/tasks.json directly into the victim's own repositories. Any developer who later clones and opens that repository in VS Code re-triggers the dropper, turning the developer's own trusted toolchain into a recurring infection vector.

Worse, the malware self-propagates: using stolen npm tokens, it identifies other packages under a compromised maintainer's account, injects malicious code, and republishes them automatically. This produces exponential, hands-off spread across the npm ecosystem.

The Attack Technique

Two separate intrusion paths converged on the SAP publishing pipeline:

1. @cap-js packages: A compromised developer account (RoshniNaveenaS) was paired with an OIDC trusted publishing configuration that trusted the cap-js/cds-dbs repository broadly, rather than scoping trust to a specific workflow on a protected branch.
2. mbt: An npm token was likely exposed through a misconfigured CircleCI job, providing direct publish access without requiring account compromise.

The SLSA provenance gap is the smoking gun. The legitimate @cap-js/sqlite v2.2.1 carries npm publish attestations and SLSA provenance metadata; the malicious release does not. Defenders verifying provenance signatures would have flagged the poisoned versions immediately.

What Organizations Should Do

1. Audit and remove any installation of the affected versions of @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt published on April 29, 2026 between 09:55 UTC and 12:14 UTC. Pin known-good versions in lockfiles.
2. Rotate all secrets that may have been present in CI/CD environments where the poisoned packages ran: GitHub tokens, npm credentials, AWS/Azure/GCP keys, Kubernetes tokens, and any GitHub Actions repository or organization secrets.
3. Hunt for indicators in GitHub: search organizational accounts for newly created public repositories tagged "A Mini Shai-Hulud has Appeared" and for unauthorized commits adding .vscode/tasks.json.
4. Enforce SLSA provenance verification in install pipelines, rejecting packages whose attestations do not match expected publishers and workflows.
5. Tighten OIDC trusted publishing scopes from repository-wide to specific workflows on protected branches, and require manual review for any maintainer account changes.
6. Disable lifecycle scripts (--ignore-scripts) in CI builds where feasible, and instruct developers to use npm config set ignore-scripts true on workstations that pull untrusted dependencies.

Sources: Mini Shai-Hulud: SAP's npm Pipeline Poisoned to Drain Enterprise Secrets – TheCyberThrone