SAP / @cap-js mini-Shai-Hulud campaign
Mini-Shai-Hulud-style attack against SAP-related npm packages on 2026-04-29 09:55–12:14 UTC. Preinstall setup.mjs downloads the Bun runtime, runs an obfuscated execution.js that exfils GitHub/npm tokens, AWS/Azure/GCP secrets, Kubernetes tokens, and browser passwords via the GitHub GraphQL API. Includes a Russian-locale guardrail and persistence via .claude/ and .vscode/ poisoning.
- Detected by
- Wiz
- Also known as
- Mini Shai-Hulud Wave 1 · SAP @cap-js wave
- Ecosystems
- npm
- Packages tracked
- 4
What happened
Wiz disclosed a Mini-Shai-Hulud-style attack against SAP-related npm packages on April 29, 2026, with the live window running 09:55–12:14 UTC. Affected packages include @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, @cap-js/db-service@2.10.1, and mbt@1.2.48 — all components of SAP's Cloud Application Programming toolchain.
Entry-point is a preinstall hook (setup.mjs) that pulls the Bun runtime to a temporary location, then runs an obfuscated execution.js. The exfiltration channel is unusual: rather than POSTing to a custom domain, the payload uses the GitHub GraphQL API with the stolen GitHub token to write the captured secrets into a new private repo under the victim's own account. From the network perspective the traffic is legitimate GitHub API traffic.
Credential targeting is broad: GitHub and npm tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, and browser saved passwords from Chrome, Safari, Edge, Brave, and Chromium-based variants. A Russian-locale guardrail (skip if LANG=ru_RU) and persistence via .claude/ and .vscode/ hook poisoning round out the toolkit — the editor poisoning means re-running the assistant or restarting the editor re-executes the payload.
This was the first wave of a two-wave Mini-Shai-Hulud sequence. The second wave on April 30 hit lightning (PyPI), intercom-client (npm), and intercom/intercom-php (Packagist) and is tracked separately as multi-2026-04-30-mini-shai-hulud-wave2. The two campaigns reuse the same Bun-based credential stealer; the operator handles were not publicly named.
Affected packages (4)
- npm
@cap-js/db-service2.10.1 - npm
@cap-js/postgres2.2.2 - npm
@cap-js/sqlite2.2.2 - npm
mbt1.2.48
Impact
- GitHub + npm token theft → onward worm propagation
- AWS, Azure, GCP, Kubernetes secret exfiltration
- Browser password harvesting (Chrome, Safari, Edge, Brave, Chromium)
- Editor poisoning: .claude/ and .vscode/ hooks for re-execution
What to do
- 1Remove and reinstall affected versions in a clean environment
- 2Rotate GitHub, npm, cloud, and Kubernetes credentials reachable from CI
- 3Audit GitHub activity for unexpected commits, repos, or workflow runs
- 4Search developer workstations for setup.mjs / execution.js
- 5Audit .claude/ and .vscode/ for unexpected hook files