Back to Intelligence

"Mini Shai-Hulud": SAP npm Supply Chain Attack — Detection and Credential Protection

SA
Security Arsenal Team
April 29, 2026
5 min read

Introduction

Defenders need to be on high alert following the disclosure of a sophisticated supply chain attack targeting the SAP ecosystem. Researchers from Aikido Security, SafeDep, Socket, StepSecurity, and Wiz have uncovered a campaign dubbed "Mini Shai-Hulud" that actively compromises SAP-related npm packages. This is not a theoretical risk; malicious packages have been published to the public registry, designed to exfiltrate sensitive credentials from development and build environments. Given SAP's prominence in enterprise resource planning, the compromise of associated JavaScript tooling represents a high-value target for attackers seeking lateral movement into critical business systems.

Technical Analysis

Affected Products & Platform The threat targets SAP-related JavaScript libraries hosted on the npm registry. While the specific package names evolve as takedowns occur, the campaign focuses on packages associated with SAP's JavaScript and cloud application development stacks. The attack vector is cross-platform, affecting Windows, Linux, and macOS environments where Node.js development occurs.

Attack Chain & Methodology The "Mini Shai-Hulud" campaign utilizes a classic typosquatting and dependency confusion technique. The malicious packages contain preinstall or postinstall scripts within their package. files. These scripts execute immediately upon installation (during npm install), often before the developer realizes the package is malicious.

  1. Initial Access: A developer or CI/CD pipeline installs a compromised SAP-themed npm package.
  2. Execution: Node.js executes the malicious lifecycle scripts defined in the package.
  3. Credential Theft: The script enumerates the file system for sensitive configuration files, specifically targeting:
    • .npmrc (npm tokens)
    • .aws/credentials (Cloud keys)
    • SSH keys (id_rsa)
    • Browser cookies and stored passwords (where accessible)
  4. Exfiltration: Stolen data is transmitted via HTTP/HTTPS to attacker-controlled Command and Control (C2) infrastructure.

Exploitation Status Active exploitation has been confirmed. The packages are live in the registry, and automated scanners have identified the malicious behavior in the wild. This necessitates immediate containment actions in environments utilizing SAP JavaScript tooling.

Detection & Response

Sigma Rules

YAML
---
title: Potential npm Supply Chain Exfiltration via Node
id: 8d7f9c2e-1a4b-4d3f-9e5c-6b7a8d9e0f1a
status: experimental
description: Detects Node.js processes spawning curl or wget, common in npm supply chain attacks like "Mini Shai-Hulud" for data exfiltration.
references:
  - https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
  - attack.exfiltration
  - attack.t1041
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\node.exe'
      - '\npm.cmd'
      - '\npx.cmd'
  selection_child:
    Image|endswith:
      - '\curl.exe'
      - '\wget.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_cmd:
    CommandLine|contains:
      - 'http://'
      - 'https://'
  condition: all of selection_*
falsepositives:
  - Legitimate build scripts fetching resources (verify specific URLs)
level: high
---
title: Linux/macOS npm Malicious Script Execution
id: 9e0g1h2i-3j4k-5l6m-7n8o-9p0q1r2s3t4u
status: experimental
description: Detects npm or node processes spawning shells or curl on Unix-based systems, indicative of malicious package scripts.
references:
  - https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - '/node'
      - '/npm'
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/curl'
      - '/wget'
    CommandLine|contains:
      - 'http'
  condition: selection
falsepositives:
  - Legitimate developer build scripts
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Node.js parent processes spawning network utilities (Potential Exfil)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("node.exe", "npm.cmd", "npx.cmd", "node", "npm")
| where FileName in~ ("curl.exe", "wget.exe", "powershell.exe", "pwsh.exe", "curl", "wget", "python", "python3")
| where ProcessCommandLine has_any ("http://", "https://")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for npm packages with suspicious install scripts targeting credential files
SELECT FullPath, Mtime, Size, 
       read_file(filename=FullPath + '/package.') AS Content
FROM glob(globs='/*/node_modules/*/package.')
WHERE Content =~ '(preinstall|postinstall|install)'
  AND (Content =~ 'curl' OR Content =~ 'wget' OR Content =~ 'http:' OR Content =~ 'base64')

Remediation Script (Bash)

Bash / Shell
#!/bin/bash

# Audit script to detect suspicious package installations related to Mini Shai-Hulud
# Scans node_modules for packages with install scripts containing network commands

echo "[*] Scanning for suspicious npm lifecycle scripts..."

# Find all package. files in node_modules
find . -type f -path "*/node_modules/*/package." | while read pkg; do
    # Check for scripts containing curl, wget, or shell execution
    if grep -qiE '(preinstall|postinstall|install)' "$pkg"; then
        if grep -qiE '(curl|wget|bash|sh|powershell|http)' "$pkg"; then
            echo "[!] Suspicious package found at: $pkg"
            echo "--- Content ---"
            cat "$pkg"
            echo "----------------"
        fi
    fi
done

echo "[*] Scan complete. Review findings immediately."

Remediation

1. Immediate Audit and Removal Developers and DevOps teams must audit package. and package-lock. files for any SAP-related packages that are not part of the official SAP registry or known trusted sources. If malicious packages are identified:

  • Remove the package directory: rm -rf node_modules/<malicious-package-name>
  • Reinstall clean dependencies: npm install (after verifying package. is clean)

2. Credential Rotation Assume compromise if the malicious packages were executed. Rotate the following immediately:

  • npm access tokens (stored in ~/.npmrc)
  • AWS/GCP/Azure credentials found in environment variables or credential files.
  • SSH private keys used for Git operations.
  • SAP-specific cloud service keys and API tokens.

3. Dependency Pinning and Review

  • Lock dependency versions strictly using package-lock. or yarn.lock.
  • Implement software composition analysis (SCA) tools within the CI/CD pipeline to block packages containing install scripts (preinstall/postinstall) unless explicitly whitelisted.
  • Review the official npm advisory (check for specific package names linked to "Mini Shai-Hulud").

4. Network Segmentation Build servers should run with restricted internet access. Only allow outbound traffic to necessary, whitelisted registries (e.g., registry.npmjs.org, corporate Artifactory) and block direct access to unknown IPs.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionsap-npmsupply-chainmini-shai-hulud

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action