Credential-Stealing Malware Infects SAP-Focused npm Packages in Targeted Supply Chain Attack

A coordinated supply chain attack has been identified targeting npm packages associated with SAP enterprise software, deploying credential-stealing malware. Security researchers from multiple firms—including Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Wiz (owned by Google)—have raised alerts about the campaign, which has been internally dubbed Mini Shai-Hulud.

Overview of the Attack

This campaign specifically compromised packages within the npm registry that are designed to interface with or assist in managing SAP systems. The attackers injected malicious code into these packages, which, when installed or updated, would execute scripts designed to harvest credentials such as usernames, passwords, and API keys from the affected environment. According to the reports, the malware operates stealthily, often exfiltrating stolen data to remote command-and-control servers controlled by the threat actors.

How the Malware Works

The malware embedded in the compromised packages typically activates during the installation process using npm lifecycle hooks (e.g., preinstall, postinstall scripts). Once triggered, it performs the following actions:

• Scans environment variables and configuration files for SAP credentials.
• Attempts to access running processes to find SAP client configurations.
• Sends the harvested data to a remote server via HTTP POST requests, often using legitimate-looking endpoints to evade detection.

The campaign is notable for its specialization in the SAP ecosystem, indicating that the attackers had a clear target profile: organizations relying on SAP for enterprise resource planning (ERP), finance, supply chain, or human resources.

Affected Packages and Indicators of Compromise

While the full list of compromised npm packages is still being analyzed, early reports indicate that at least a handful of packages were directly affected. Security teams have shared the following indicators of compromise (IoCs) to help organizations check if their environments are at risk:

• Unexpected network connections to IP addresses associated with the command-and-control infrastructure.
• Presence of obfuscated JavaScript files in node_modules directories that contain encoded payloads.
• Unusual npm install or update events that trigger outbound HTTPS requests to suspicious domains.

Organizations using SAP-related npm packages should immediately audit their dependencies and compare them against published IoCs from the security researchers. A list of confirmed malicious package names and versions can be found in the detailed reports from Aikido Security, Onapsis, and Wiz.

Supply Chain Attack Methodology

Supply chain attacks like this one are particularly dangerous because they exploit the trust relationships within software development. Instead of directly targeting an organization's systems, attackers compromise a relatively small but widely used component—in this case, npm packages—and then rely on downstream consumers to install the malware.

The Mini Shai-Hulud campaign appears to have used a combination of:

• Typosquatting – Creating package names similar to legitimate SAP utilities (e.g., sap-client vs. sap-clients).
• Dependency confusion – Uploading packages with names that match internal private packages, tricking package managers into fetching the malicious public version.
• Account takeover – Possibly compromising legitimate package maintainer accounts to push updates containing the malware.

Impact on Enterprises

The primary risk for organizations using SAP systems is credential theft. With stolen SAP credentials, an attacker can gain unauthorized access to critical business applications, sensitive financial data, and administrative functions. This could lead to:

• Sabotage of ERP operations
• Theft of intellectual property
• Financial fraud
• Supply chain disruptions

Given SAP's central role in many large enterprises, even a single compromised credential could provide a foothold for lateral movement and deeper attacks.

Mitigation Recommendations

Security teams and developers working with Node.js and SAP should take immediate action to protect their environments:

1. Audit your dependencies – Run npm audit and check for any packages matching the known IoCs. Remove or update any compromised versions.
2. Implement package integrity verification – Use tools like npm's integrity field, lockfiles, or third-party scanners to ensure packages haven't been altered.
3. Adopt a policy of least privilege – Ensure npm installations run with minimal permissions and that SAP credentials stored in environment variables are restricted.
4. Monitor for suspicious network traffic – Set up alerts for outbound connections to unknown IPs from build or runtime environments.
5. Consider using private registries – For enterprise deployments, maintain an internal npm registry with curated, verified packages.

Collaborative Detection Efforts

The swift discovery and disclosure of this campaign highlight the importance of collaboration among security vendors. Aikido Security first flagged the unusual pattern, and other firms quickly cross-referenced their own telemetry. Their combined analysis has helped to identify the scope of the attack and provide timely warnings to the community. Wiz, for its part, leveraged its cloud security platform to trace the infrastructure used by the malware.

Conclusion

The Mini Shai-Hulud campaign is a stark reminder that supply chain attacks continue to evolve, targeting specialized ecosystems like SAP to steal credentials with high business impact. Developers and security teams must remain vigilant, continually validate third-party code, and adopt robust dependency management practices. As investigations continue, further IoCs and package names may emerge; staying informed through the disclosed reports is essential.