Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware
A supply chain campaign dubbed "Mini Shai Hulud" targeted SAP npm packages with malicious versions containing credential-stealing malware. The campaign follows patterns similar to previous Shai-Hulud attacks.
- Disclosed
- Last updated
- Blast radius
- SAP ecosystem and npm users installing malicious packages
- Ecosystems
- Attack vectors
- Threat actor
- Affected entities
- SAP npm packagesSpecific package names not disclosed in source text
A coordinated supply chain attack campaign, designated "Mini Shai Hulud," has targeted npm packages associated with SAP. The malicious packages were designed to steal credentials from affected users and systems.
The campaign appears to follow tactics and patterns from previous Shai-Hulud-style operations targeting supply chains. Wiz's analysis detected and documented the malicious npm packages linked to this campaign.
The specific package names, versions, and timeline details are referenced in the full Wiz security report. Organizations using SAP-related npm dependencies should review the detailed analysis for indicators of compromise and remediation guidance.
This incident highlights the continued risk of supply chain attacks targeting major enterprise software providers and their open-source ecosystems.
Remediation
- Review npm package dependencies for SAP-related packages and check for suspicious versions
- Audit supply chain security posture for npm packages using tools recommended by Wiz
- Implement npm package signing verification and integrity checking
- Monitor for lateral movement or credential theft indicators if potentially affected packages were installed
- Follow Wiz's detailed remediation guidance available in their full security report
Sources
Cite this entry
"Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed April 29, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/supply-chain-campaign-targets-sap-npm-packages-with-credential-stealing-malware-1ghzqn
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp
A self-replicating worm named Miasma is spreading across the npm registry by injecting malicious code into binding.gyp files, which execute during npm install without requiring package.json script modifications. The attack has already compromised dozens of packages across multiple maintainer accounts and evades conventional security detection.
MiasmanpmCompromised packageMalicious commit - containedcritical
Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack
On March 19, 2026, threat actors attributed to "TeamPCP" injected credential-stealing malware into Aqua Security's Trivy scanner and related GitHub Actions. The compromise affected the supply chain of a widely-used container security tool, potentially exposing credentials and secrets in CI/CD environments.
TeamPCPContainer registryOtherCompromised packageMalicious commit - activecritical
Malware in transportator
The npm package transportator contains malware that grants full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised and all secrets and keys rotated immediately from a different machine.
npmCompromised package - containedcritical
Malware in vite-react-toolkit
The npm package vite-react-toolkit contained malware that provided full system compromise to attackers. Any computer with this package installed should be considered fully compromised and all secrets and keys rotated immediately from a different machine.
npmCompromised package