sap-cap-js - isotope¹³

Incident Summary

SAP CAP Packages Mini Shai-Hulud

Mini Shai-Hulud compromised SAP ecosystem npm packages mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service through two release paths: a stolen static npm token for mbt and an abused GitHub Actions OIDC publishing flow for cap-js/cds-dbs. The malicious releases ran a Bun-based credential stealer, exfiltrated encrypted secrets through attacker-created GitHub repositories, added IDE persistence through Claude Code and VS Code hooks, injected repository-secret stealing workflows, and attempted propagation through stolen npm tokens.

Date: 2026-04-29 to 2026-04-30
Category: Open Source
Target Surface: Package registry
Insertion Phase: CI/CD
Impact: Credential theft
Cause: CI/CD Exploit

What Was Affected

Package sap-cap-js

LanguageJavaScript

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain npmjs.com

Repository github.com/cap-js/cds-dbs

Compromised Versions

Incident Context

Motive: Credential Theft
Attribution: Advanced Persistent Threat
Transitive: Yes
User Impact: 570000
Observed Duration: 1 days

Evidence

Compromised Artifacts

Indicators and Changes

Hashes

sha256:4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34
sha256:80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac
sha256:6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95

Commits

External References

Source Data

Source record: oss/sap-cap-js/meta.yaml