10 Critical Facts About the SAP npm Credential-Stealing Attack

In a startling revelation, cybersecurity researchers have uncovered a sophisticated supply chain attack campaign targeting SAP-related npm packages. Dubbed Mini Shai-Hulud, this operation has inserted credential-stealing malware into popular Node.js packages used in SAP ecosystems. Discovered by firms including Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz, the attack highlights the growing risks in open-source software dependencies. Below are ten essential facts you need to know about this breach and how to protect your organization.

1. What Is the Mini Shai-Hulud Campaign?

The Mini Shai-Hulud campaign is a supply chain attack that specifically targets npm packages associated with SAP systems. Attackers maliciously modified legitimate packages to include credential-stealing code. First identified in late 2024, the campaign leveraged the trust in widely used SAP-related npm modules to distribute malware. Security researchers from multiple organizations collaborated to expose the attack, calling it a wake-up call for the SAP community. The name "Mini Shai-Hulud" refers to the sandworms from the Dune universe, hinting at the subterranean nature of the threat. The campaign primarily aims to steal login credentials, API keys, and other sensitive data from developers and organizations that install the compromised packages.

2. Which Packages Were Compromised?

Several SAP-related npm packages were infected as part of this attack. While the full list continues to be analyzed, known affected packages include libraries for SAP Cloud SDK, SAP UI5 tooling, and other integration modules. Examples mentioned in advisories include sap-cloud-sdk and @sap/cds related packages, though variants may exist. The attackers used typo-squatting and dependency confusion techniques to create malicious versions with similar names. Organizations are urged to review their package-lock.json or yarn.lock files and compare against published integrity hashes from official SAP repositories. A complete inventory of tainted packages is maintained by the cybersecurity firms involved in the discovery, and security scanners like Socket detect them automatically.

3. How Does the Credential-Stealing Malware Work?

Once installed, the malicious code executes during package installation or at runtime. It typically captures environment variables (e.g., process.env), configuration files (like credentials.json), and network traffic that contains authentication tokens. The stolen data is exfiltrated to attacker-controlled servers via encrypted channels, often disguised as benign API calls. Some variants also target SAP-specific authentication mechanisms such as OAuth tokens and password hashes. The malware is designed to be stealthy, avoiding detection by standard antivirus tools by using delayed execution and evasive techniques. Its goal is to harvest credentials that provide access to SAP systems, cloud platforms, and CI/CD pipelines.

4. Why Is This Attack Particularly Dangerous?

SAP systems often hold critical business data including financial records, supply chain information, and employee details. By compromising npm packages used in SAP development, attackers gain a foothold into enterprise environments that may have high trust levels. The supply chain nature means that even organizations that follow secure coding practices can be infected unknowingly through dependencies. Additionally, the attack exploits the open-source ecosystem, where many developers assume packages from popular registries are safe. The combination of targeted SAP credentials and automated exfiltration makes this a potent threat for ransomware groups or state-sponsored espionage.

5. Who Was Behind the Attack?

While attribution is ongoing, the campaign's sophistication suggests a well-resourced group. The operational security used (e.g., avoiding reused IP addresses, employing multiple hosting providers) indicates professional cybercriminals or advanced persistent threat (APT) actors. Researchers have not yet linked Mini Shai-Hulud to any known group, but the focus on SAP systems points to motives of corporate espionage or financial gain. The use of npm, a platform with billions of weekly downloads, allows for widespread distribution with minimal effort. The attack also mirrors previous campaigns like Dependency Confusion and typo-squatting, but with a refined credential-stealing payload.

6. How to Detect If Your Environment Is Compromised

Detection involves monitoring for unusual network calls from npm modules, unexpected file modifications, or access to credential stores like SAP Secure Store or OS keychains. Specific indicators include:

• Unexpected outbound connections to unknown domains on non-standard ports.
• Modified package.json scripts that execute code during installation (e.g., postinstall).
• Presence of hidden files or obfuscated JavaScript in node_modules.
• Alert logs from security tools like Socket or Snyk flagging known malicious package versions.

Run npm audit and check for versions published after the compromise timeline. Also review your dependency tree for any unfamiliar packages claiming to be SAP-related but not from the official @sap scope.

7. Mitigation Steps for Developers and Enterprises

Organizations should take immediate action:

1. Audit dependencies: Use tools like npm audit, Snyk, or Socket to scan for known malicious packages.
2. Use package-lock files: Pin exact versions and verify integrity with SHA hashes.
3. Rotate credentials: Reset all passwords, API keys, and OAuth tokens that may have been exposed.
4. Enable multi-factor authentication (MFA) for all SAP and cloud accounts.
5. Implement runtime protection: Use security agents that monitor module behavior.
6. Update packages: Upgrade to the latest patched versions from official SAP npm scopes.

Additionally, consider using private npm registries or scoped packages to reduce supply chain risk.

8. The Role of Security Researchers and Industry Response

The discovery was a collaborative effort among multiple security firms who coordinated disclosure with npm (GitHub) and SAP. Packages were taken down from the npm registry within hours of notification. The researchers published a joint advisory detailing technical indicators of compromise (IOCs) and mitigation guidance. This incident has spurred discussions about improving npm's package verification processes, such as requiring signed packages for critical scopes. The SAP Security team also issued a bulletin urging customers to review their Node.js dependencies and enabling enhanced logging for credential access.

9. Broader Implications for the SAP Ecosystem

This attack underscores the vulnerability of the SAP ecosystem to supply chain threats, especially as more SAP extensions are developed using Node.js and npm. Organizations that have adopted SAP BTP (Business Technology Platform) or SAP Cloud Platform are particularly at risk if they use unverified community packages. The incident may push SAP to introduce stricter validation for third-party libraries published under its namespace. It also highlights the need for DevSecOps practices that include dependency scanning as part of CI/CD pipelines for SAP projects.

10. Lessons Learned and Future Outlook

The Mini Shai-Hulud campaign teaches several important lessons:

• Trust but verify: Always validate open-source packages before inclusion.
• Monitor dependencies continuously: Use automated tools that alert on changes in package integrity.
• Apply the principle of least privilege: Limit credential access to only what's needed.
• Prepare incident response plans specifically for supply chain attacks.

Looking forward, we can expect more such attacks targeting specialized ecosystems like SAP. Proactive measures, including improved registry security and developer education, will be crucial to staying safe.

In conclusion, the compromise of SAP-related npm packages is a stark reminder that supply chain attacks are evolving in both sophistication and targeting. By understanding the mechanics of Mini Shai-Hulud and implementing robust defenses, organizations can protect their critical SAP assets from credential theft. Stay vigilant, audit your dependencies regularly, and rely on trusted security partners to keep your software supply chain secure.