A Mini Shai-Hulud Has Appeared: Obfuscated Bun Runtime Payloads Hit SAP-Related npm Packages
StepSecurity identified an npm supply chain attack campaign targeting SAP-ecosystem packages using preinstall hooks to download and execute an obfuscated Bun runtime payload. At least two SAP-related npm packages have been confirmed compromised in this active campaign.
- Disclosed
- Last updated
- Blast radius
- SAP ecosystem; npm-dependent applications
- Ecosystems
- Attack vectors
- Affected entities
- SAP-related npm packagesAt least two packages confirmed compromised
StepSecurity has detected an active npm supply chain attack campaign exploiting preinstall hooks in npm packages. The attack mechanism involves downloading the Bun JavaScript runtime and executing an 11 MB obfuscated payload during package installation.
The campaign has specifically targeted packages in the SAP ecosystem, with at least two SAP-related npm packages confirmed as compromised so far. The use of obfuscated payloads and runtime downloads suggests an attempt to evade static detection and analysis tools.
This attack leverages a common npm installation hook to execute arbitrary code on developer machines and build systems that install the affected packages, potentially affecting any downstream consumers of these packages.
Indicators of compromise
- Packages
- <UNKNOWN>
Remediation
- Audit npm package installations and preinstall hooks for suspicious activity
- Review and update SAP-related npm dependencies to patched versions once available
- Inspect package-lock.json and node_modules for unauthorized Bun runtime downloads
- Monitor for and block execution of unverified Bun runtime binaries in build and development environments
- Enable strict npm audit scanning and consider using lock file integrity verification
- Check npm audit logs and installation history for affected packages
Sources
Cite this entry
"A Mini Shai-Hulud Has Appeared: Obfuscated Bun Runtime Payloads Hit SAP-Related npm Packages." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed May 4, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/a-mini-shai-hulud-has-appeared-obfuscated-bun-runtime-payloads-hit-sap-related-n-1ec9xf
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in @doaction/auth
Malware discovered in the npm package @doaction/auth. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in @doaction/shared
Malware was discovered in the npm package @doaction/shared. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in transacts
The npm package transacts was found to contain malware, resulting in full system compromise of any computer with the package installed or running. All secrets and keys should be rotated immediately from a different computer, and the package should be removed.
npmCompromised package - containedcritical
Malware in buffer-utilities
Malware was discovered in the npm package buffer-utilities, resulting in full system compromise for any installation. The package should be removed immediately and all secrets and keys rotated from a clean system.
npmCompromised package