The Malicious Preinstall Script
A fresh supply chain attack is targeting the SAP developer ecosystem with poisoned npm packages. Threat actors published compromised versions of four official SAP packages: mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service. The attack leverages a worm called Mini Shai-Hulud that activates before the npm install process finishes. A hidden preinstall script named setup.mjs downloads the Bun JavaScript runtime and executes an 11.7 MB obfuscated payload called execution.js.
How Credentials Are Stolen
The payload runs five credential harvesters simultaneously. First, it scans npmrc files to collect npm tokens and validates them against the npm registry API. Second, it targets GitHub tokens by reading /proc/{pid}/mem on Linux hosts to pull in-memory secrets from GitHub Actions. Third, it sweeps cloud credentials across AWS, Google Cloud, Azure, and Kubernetes. The fourth harvester targets AI coding tools, checking 136 hardcoded paths for settings files in Claude Code, VS Code, and Cursor IDE. In CI environments, it sweeps more than 25 platforms including Jenkins, Travis, and Azure Pipelines.
Impact and Defense Measures
All collected data is encrypted with AES-256-GCM and wrapped with the attacker’s RSA-4096 public key before being uploaded to a GitHub dead-drop repository created from the victim’s own stolen account. Detection window was roughly two hours. Developers should uninstall compromised versions, reinstall with the –ignore-scripts flag, and revoke all secrets from affected hosts. This includes npm tokens, GitHub PATs, AWS IAM keys, Google Cloud service account credentials, Azure client secrets, SSH private keys, and .env file contents.
Source: Cybersecuritynews
