Open Source 2026-04-29 · 1 day ·Credential Theft, Self Propagation

SAP CAP packages hit by Mini Shai-Hulud

Mini Shai-Hulud compromised SAP ecosystem npm packages mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service through two release paths: a stolen static npm token for mbt and an abused GitHub Actions OIDC publishing flow for cap-js/cds-dbs.

Story

On April 29, 2026, four npm packages from SAP's open-source Cloud Application Programming ecosystem were republished carrying the same credential-stealing loader that researchers at StepSecurity had begun calling Mini Shai-Hulud. SAP's CAP framework is the enterprise software vendor's preferred toolkit for building cloud services on Node.js, so the affected packages sit deep inside customer build pipelines.

The compromised releases were mbt@1.2.48, @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, and @cap-js/db-service@2.10.1. Each shipped a preinstall hook pointing at setup.mjs, which downloaded the Bun JavaScript runtime at version 1.3.13 from GitHub releases and used it to execute an 11.6 MB obfuscated payload named execution.js. The underlying packages continued to work, which kept the install quiet while the payload ran.

The two publish paths differed in instructive ways. The mbt release went out under a stolen static npm automation token belonging to the cloudmtabot account that normally handles that package, StepSecurity said. The three @cap-js releases came through a more elaborate route: a compromised SAP developer account modified the release workflow in cap-js/cds-dbs to exchange a GitHub OIDC token for an npm token through trusted publishing, then ran the publish from a non-main branch. Trusted publishing was meant to eliminate long-lived secrets; here the attacker turned the trust relationship itself into the delivery channel.

Once running, the payload harvested developer and CI secrets, read GitHub Actions runner memory for masked values, created dead-drop GitHub repositories titled "A Mini Shai-Hulud has Appeared" to hold exfiltrated data, and wrote persistence hooks into editor and agent configuration files including .claude/settings.json and .vscode/tasks.json. SAP and the cap-js maintainers pulled the affected versions; @cap-js/postgres was unpublished from npm outright. The shared worm machinery across the wave is tracked under the broader TeamPCP campaign, while this record holds the SAP-specific artifacts.

Affected Artifacts

mbt

npm · repository · Source Archive
Observed
2026-04-29
Compromised Versions
Fixed
Not listed
Hashes
  • sha256:4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34
  • sha256:80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac
  • Clean predecessor identified as mbt@1.2.47. StepSecurity reported mbt was published at 09:55 UTC with a stolen static npm automation token.

@cap-js/sqlite

npm · repository · Source Archive
Observed
2026-04-29
Compromised Versions
Fixed
Not listed
Hashes
  • sha256:4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34
  • sha256:6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95
  • Clean predecessor identified as @cap-js/sqlite@2.2.1. Published through abused OIDC trusted publishing from cap-js/cds-dbs.

Incident Context

Motive
Credential Theft
Attribution
Group
Cause
CI/CD Exploit
Transitive
Yes
Actor
Advanced Persistent Threat
User Impact
570000

Indicators

External References

Source record: oss/attacks/sap-cap-js/meta.yaml