SAP-Focused npm Packages Under Siege: The Credential-Stealing Supply Chain Campaign

Introduction

In a concerning development for enterprise security, researchers have uncovered a sophisticated supply chain attack targeting npm packages related to SAP systems. Dubbed 'Mini Shai-Hulud,' this campaign leverages compromised packages to steal credentials and other sensitive data. Security teams from Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz have jointly sounded the alarm, urging organizations to scrutinize their dependency chains.

This article explores the attack methodology, affected packages, immediate risks, and long-term mitigation strategies—including how to identify compromised components in your software supply chain.

The Anatomy of the Mini Shai-Hulud Attack

The attackers focused specifically on SAP-related npm packages—a specialized but critical segment of the JavaScript ecosystem. By poisoning these packages with credential-stealing malware, they aimed to infiltrate organizations that rely on SAP for enterprise resource planning (ERP) and other core business functions.

Attack Vector and Payload

The campaign involved malicious code injected into legitimate npm packages. Once installed, the payload executed a sequence of data exfiltration steps, focusing on:

• Environment variables – often containing API keys, database passwords, and cloud service credentials.
• Configuration files – such as .env or config.js, commonly used by SAP integrations.
• Local storage tokens – used for authentication in headless browser or server-side SAP tooling.

The stolen credentials were then sent to an attacker-controlled command-and-control (C2) server. Given the high value of SAP system access, a single compromised credential could lead to financial fraud, data theft, or lateral movement inside corporate networks.

Affected Packages

While the full list of tampered packages is still emerging, researchers identified the following as known compromised components (please note: package names may change; always verify via official security advisories):

• @sap/connector
• sap-api-client
• sap-oauth2
• sap-utils

Jump to mitigation section for steps to check your dependencies.

Why SAP-Focused npm Packages Are a Prime Target

Enterprise environments often mix SAP systems with modern Node.js applications for integration, automation, or user interface components. This hybrid approach increases the attack surface. The Mini Shai-Hulud campaign exploited a combination of factors:

• Low scrutiny – npm packages for niche enterprise functions receive less community verification than general-purpose libraries.
• High privilege – SAP credentials often grant access to financial records, payroll, and supply chain data.
• Automated installs – many organizations use continuous integration pipelines that blindly pull package updates.

As noted by Wiz researchers, the attackers specifically targeted packages that are rarely audited by external security tools, making the attack both effective and difficult to detect.

Industry Response and Coordination

The discovery involved multiple security vendors collaborating to analyze the threat. Researchers from Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Google Cloud's Wiz contributed to threat intelligence that has been shared with npm maintainers and the public.

Key Findings from Shared Analysis

1. Malicious code injected into after-install scripts: The packages used npm's postinstall scripts to execute the malware during package installation.
2. Obfuscation techniques: The payload was minified and encoded to evade static analysis.
3. Delayed execution: Some variants waited hours or days before exfiltrating data, reducing suspicion.

Immediate Actions for Organizations

If your organization uses any of the compromised packages, follow these steps:

Step 1: Audit Your Dependencies

Run npm audit or use a dependency scanner like Socket.dev or Snyk to check for known malicious packages. Look specifically for:

• Packages matching the names above or related to SAP integration.
• Unusual postinstall scripts in your node_modules.

Step 2: Revoke and Rotate Credentials

Assume any SAP credential that may have been accessed is compromised. Rotate API keys, OAuth tokens, and database passwords immediately.

Step 3: Implement Supply Chain Security Best Practices

To prevent future attacks, adopt the following measures:

• Use lockfiles – commit package-lock.json or yarn.lock to ensure reproducible installs.
• Pin package versions – avoid wildcards or ^ ranges for critical dependencies.
• Audit postinstall scripts – disable npm run for unknown scripts or use --ignore-scripts in production builds.
• Leverage security tools – integrate real-time scanning tools like SafeDep or StepSecurity into your CI/CD pipeline.

Step 4: Monitor for Data Exfiltration

Check network logs for unexpected outbound connections to unknown IP addresses. The Mini Shai-Hulud campaign was observed contacting domains with patterns like *.shaihulud[.]info (noted in threat reports).

For more detailed technical indicators of compromise (IOCs), refer to the full analysis by Aikido Security.

Long-Term Considerations

This attack underscores a persistent vulnerability in modern software supply chains. As enterprises adopt more open-source components—especially for niche business areas like SAP integration—attackers will continue to target these less-scrutinized packages.

Recommendations for the Future

1. Vendor partnership: Organizations should collaborate with cloud security providers like Google's Wiz to monitor for anomalous package behavior.
2. Internal audit teams: Dedicated software composition analysis (SCA) teams can review dependency trees before each release.
3. Community reporting: If you discover a malicious npm package, report it via npm report or to npm's security team.

Conclusion

The Mini Shai-Hulud campaign is a stark reminder that supply chain attacks can infiltrate even specialized enterprise ecosystems. By compromising SAP-related npm packages, attackers aimed for high-value credential theft. However, with coordinated industry response and proactive dependency hygiene, organizations can defend against such threats. Stay vigilant, audit your packages, and always question the trustworthiness of third-party code.

For continuous updates on this campaign, follow the official blogs of Onapsis and Socket.