In late April 2025, a sophisticated supply chain attack dubbed “mini Shai-Hulud” targeted SAP-related npm packages, sending shockwaves through the developer community. The campaign exploited configuration gaps and stolen tokens to inject malicious code that harvested credentials, tokens, and secrets from multiple cloud providers. This incident isn't just a warning—it's a blueprint for understanding how vulnerable our development pipelines have become. Below are ten essential takeaways every team must internalize to defend against such threats. Jump to the first lesson.
1. The Attack Hit Core SAP Development Packages
The affected packages—mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2—are integral to SAP’s JavaScript and cloud application ecosystem. Published on April 29, these malicious versions were quickly replaced with safe releases, but not before the damage was done. The attackers added installation-time code that silently stole developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, GCP, and Kubernetes environments. This demonstrates how a single compromised dependency can cascade into a full-scale credential heist.
2. The Malware Used Victim’s Own GitHub Repositories for Data Exfiltration
A particularly devious tactic: encrypted stolen data was sent to public GitHub repositories created from the victim's own accounts. By leveraging legitimate GitHub credentials, the attackers avoided detection from typical egress monitoring. This technique not only exfiltrates sensitive information but also risks implicating the victim in the attack itself. Teams must audit all repositories—especially public ones—for unexpected uploads or activity that could signal a breach.
3. The “Mini Shai-Hulud” Campaign Name Highlights the Sandworm Connection
Researchers from SafeDep, Aikido Security, Wiz, and other firms named the campaign after the giant sandworms from Frank Herbert’s Dune—symbolizing a hidden, sweeping danger. The reference is apt: the attack burrowed deep into the software supply chain, affecting downstream developers who had minimal visibility into their dependencies. Understanding the campaign’s naming underscores its stealthy, persistent nature.
4. The Attack Exploited an npm OIDC Trusted Publishing Gap
SafeDep identified a configuration failure in npm’s OpenID Connect (OIDC) trusted publishing setup for the @cap-js packages. This gap allowed attackers to bypass typical authentication checks and publish poisoned versions. For organizations using OIDC to secure package publishing, this event is a stark reminder to review trust configurations, enforce least-privilege policies, and regularly audit authentication flows. A single misconfiguration can turn a security feature into a vulnerability.
5. Static npm Tokens Remain a Weak Link
The compromise of the mbt package is suspected to have involved a static npm token—a long-standing security risk. Unlike OIDC, which uses short-lived tokens, static tokens can be stolen and reused indefinitely. This highlights the need to phase out static tokens in favor of ephemeral, credential-based authentication. Until then, developers must rotate tokens frequently and monitor for unauthorized usage.
6. Attackers Targeted Developer Workstations and AI Tools
The campaign attempted to persist through configuration files for Visual Studio Code and Claude Code, an AI-assisted coding tool. This technique shifts the attack surface from the CI/CD pipeline to the developer’s own machine—where credentials, tokens, and secrets are often stored. AI coding tools, while boosting productivity, introduce new risks if their configuration or outputs are tampered with. Organizations must extend security monitoring to developer workstations and AI-generated code.
7. CISOs Must Treat Developer Environments as Production Systems
Sakshi Grover, senior research manager at IDC Asia Pacific Cybersecurity Services, noted that attackers now view the developer workstation as “a master key.” The mini Shai-Hulud campaign shows how a tainted dependency can leap from development to production with alarming speed. Yet many enterprises still govern developer environments with lax oversight compared to production. CISOs should apply the same rigorous controls—access reviews, logging, and anomaly detection—to all code-writing and build environments.
8. Stolen Tokens Enabled Further Supply Chain Poisoning
The malware didn’t just exfiltrate data; it also used stolen GitHub and npm tokens to add malicious GitHub Actions workflows to accessible repositories. This allowed the attackers to publish more tainted package versions, expanding the attack’s reach. This self-propagating mechanism amplifies the initial breach. Teams must implement token revocation procedures immediately upon suspicion of compromise and audit workflow changes for unauthorized additions.
9. Visibility into Third-Party Dependencies Remains a Major Gap
According to IDC’s Asia Pacific Security Survey 2025, 46% of enterprises plan to deploy AI for third-party and supply chain risk analysis within 12–24 months. For now, many organizations are still planning—meaning current defenses are reactive at best. The mini Shai-Hulud attack underscores the urgent need for real-time dependency monitoring, software bill of materials (SBOM) management, and automated policy enforcement. Waiting for AI to mature isn’t an option.
10. “Living Off the Land” Techniques Demand Behavioral Detection
Sunil Varkey, a cybersecurity analyst, described the campaign as a case of “living off the land”—using legitimate tools and accounts to achieve malicious goals. Since the attackers abused npm’s own publishing mechanisms and GitHub’s infrastructure, traditional signature-based detection often fails. Behavioral analytics, anomaly detection, and zero-trust principles are essential to catch such subtle abuses. This attack proves that supply chain security requires looking beyond malware signatures to how trusted systems are misused.
Conclusion: The SAP npm package attack is more than a headline—it’s a wake-up call for every development team. From OIDC misconfigurations to static token reuse and AI tool vulnerabilities, the lessons are clear: secure the entire software supply chain, from workstation to production. Return to the top to review each lesson, and start implementing changes today. The next “Shai-Hulud” might already be crawling through your dependencies.