The integrity of the modern software development lifecycle has faced one of its most calculated tests following the emergence of a sophisticated supply chain campaign dubbed Mini Shai-Hulud. This malicious operation specifically targeted the npm ecosystem associated with SAP’s JavaScript and cloud application development, highlighting a significant escalation in how threat actors manipulate trusted dependencies. Rather than relying on simple typosquatting or broad-spectrum malware, the attackers executed a surgical strike against packages integral to corporate database services and cloud infrastructure. The incident underscores a shift toward high-value targeting where the goal is not merely system disruption but deep, persistent access to the heart of enterprise development pipelines. By compromising established workflows, the campaign managed to insert itself into the very tools that developers trust most, turning the standard build process into a vector for systemic compromise across numerous organizations.
Anatomy of the Infection and Data Theft
Multi-Stage Execution: The Rise of Bun Runtimes
The campaign initiated its infection sequence through a deceptive preinstall script located within the package.json file of compromised versions like mbt@1.2.48 and several @cap-js components. This script functioned as a runtime bootstrapper that fetched a platform-specific Bun JavaScript runtime ZIP file directly from GitHub Releases, bypassing traditional Node.js execution barriers. Choosing the Bun runtime was a strategic decision by the threat actors, as it allowed for the execution of complex JavaScript logic outside the standard monitoring hooks typically associated with Node.js environments. Once the malware extracted the binary, it immediately triggered the setup.mjs loader to prepare the environment for the final payload deployment. This method demonstrates a refined understanding of developer machine architectures, ensuring that the malicious code could operate efficiently without alerting standard security scanners that are primarily tuned to detect common Node.js-based malware patterns.
After the initial bootstrap phase, the malware utilized an execution.js file to finalize its grip on the target system while employing several techniques to evade localized security restrictions. Specifically, the infection chain was designed to bypass PowerShell execution policies on Windows systems, allowing the script to run with administrative-like freedom even in restricted environments. Furthermore, the malware demonstrated a lack of concern for standard security protocols by following insecure HTTP redirects without validating the final destination, a tactic that ensured the payload reached its target even if intermediate nodes were modified. This multi-staged approach allowed the attackers to maintain a high success rate across diverse developer operating systems, from macOS to various Linux distributions. The use of regional evasion tactics, such as checking for Russian locales before proceeding, further suggests a disciplined operation aimed at avoiding specific law enforcement scrutiny while maximizing the impact on global enterprise targets.
Exfiltration Strategy: Repurposing Native Infrastructure
The primary objective of the Mini Shai-Hulud payload was the comprehensive harvesting of sensitive credentials that serve as the keys to a modern enterprise’s kingdom. The malware was engineered to scan the local filesystem and browser databases to extract stored passwords from Chrome, Safari, Edge, Brave, and other Chromium-based browsers. Beyond simple login credentials, the script specifically hunted for high-value platform tokens, including those for GitHub and npm, which allow for further code manipulation and package registry access. Most critically, the malware successfully targeted cloud secrets for major providers such as AWS, Azure, and Google Cloud Platform, along with Kubernetes configuration files and GitHub Actions secrets. This broad scope allowed the attackers to move beyond the initial compromised workstation and begin planning for broader cloud environment infiltration, leveraging the very secrets that are intended to automate and secure the modern deployment process for organizations.
Perhaps the most innovative aspect of the exfiltration process was the rejection of traditional command-and-control servers in favor of repurposing the victim’s own GitHub infrastructure. Stolen data was not sent to an external domain that might be flagged by network security tools; instead, it was encrypted using a robust combination of AES-256-GCM and RSA-4096 before being uploaded. The malware used stolen GitHub tokens to automatically create new public repositories on the victim’s profile, often using the distinctive description “A Mini Shai-Hulud has Appeared” to host the encrypted archives. Over 1,100 such repositories have been identified, illustrating the massive scale of the compromise and the difficulty of detection. By using the victim’s account as the storage node, the attackers effectively hid their trail within legitimate traffic, making it nearly impossible for traditional firewalls or monitoring systems to identify the outbound data flow as a malicious exfiltration attempt.
Advanced Persistence and Root Cause Analysis
Exploiting AI Agents: New Frontiers in Persistence
As developers increasingly integrate artificial intelligence into their daily workflows, the Mini Shai-Hulud campaign adapted by targeting these new tools for long-term persistence. The malware specifically looked for configurations related to AI coding assistants, such as Claude Code, by injecting malicious settings into the .claude/settings.json file. By exploiting the SessionStart hook, the attackers ensured that their malicious logic would be re-triggered every time a developer initiated a session with their AI agent. This approach represents a pioneering move in supply chain attacks, moving beyond traditional startup folders or registry keys into the specialized environment of AI-assisted development. This integration meant that even if a developer performed a clean build or updated their core packages, the persistence mechanism embedded within the AI tool’s configuration could potentially re-infect the environment, creating a cyclical security challenge that is difficult to purge without deep forensic investigation.
The threat actor also targeted Integrated Development Environments by configuring tasks within the .vscode/tasks.json file to run automatically upon opening a project folder. This ensured that simply browsing the source code of an infected repository was enough to execute the malicious payload, further complicating the developer’s ability to safely audit their own work. Beyond local persistence, the malware leveraged stolen npm and GitHub tokens to inject poisoned workflows into other repositories owned by the victim. These malicious GitHub Actions were designed to steal further secrets and publish corrupted versions of additional packages, effectively turning every compromised developer into a vector for horizontal propagation within the software supply chain. This viral behavior allowed the infection to leap from one project to another, demonstrating a level of automation in supply chain attacks that necessitates a fundamental shift in how organizations manage internal repository security and inter-team trust.
Breaking the Trust: OIDC and Future Remediation
The root cause of the compromise involving the @cap-js packages was traced back to a specific vulnerability in the implementation of OpenID Connect trusted publishing on npm. While the SAP development team had correctly moved away from long-lived static secrets in favor of OIDC, the configuration policy was set too broadly. It essentially trusted any workflow within the repository to publish packages, rather than restricting that privilege to a specific, canonical release workflow on the main branch. This allowed an attacker with limited access to push a modified workflow to a non-protected branch, request a valid OIDC token from npm, and publish malicious versions with valid provenance metadata. This incident highlights that even modern security protocols like OIDC can be undermined by permissive configurations. Organizations must realize that the shift to passwordless authentication requires a corresponding shift toward the principle of least privilege in defining which specific automated actions are trusted.
Maintainers acted swiftly to mitigate the threat by releasing patched versions of all affected packages, including sqlite v2.4.0, postgres v2.3.0, and mbt v1.2.49, effectively neutralizing the immediate risk to the ecosystem. To prevent similar future incidents, development teams should implement strict branch protection rules that enforce mandatory code reviews and restrict OIDC publishing permissions exclusively to signed, production-ready branches. Organizations must also audit their local environments for the presence of hidden configuration files in hidden directories like .claude or .vscode, which may harbor persistent threats. The transition to more robust supply chain security involves not only patching known vulnerabilities but also adopting a zero-trust approach toward the tools and automated agents that manage our code. The Mini Shai-Hulud campaign proved that as defenses evolve, so too will the methods of infiltration, making continuous monitoring of both package registries and local developer environments an essential practice for maintaining modern digital security.
