Alert: 'mini Shai-Hulud' Campaign Targets SAP npm Packages
Hey all, has anyone else caught the latest regarding the "mini Shai-Hulud" campaign? Reports are surfacing from Aikido Security, SafeDep, Socket, StepSecurity, and Wiz about a concerning supply chain attack specifically targeting SAP-related npm packages.
It appears the attackers are compromising packages associated with SAP's JavaScript and cloud applications to inject credential-stealing malware. Given the high value of SAP environments, this is a critical one to watch. The campaign seems to focus on pushing malicious updates that harvest environment variables and credentials.
I've started auditing our internal registries. If you are running SAP on Node.js, you should check your package-lock. immediately. I recommend scanning for unexpected postinstall scripts, as this is a common vector for these payloads. Here is a quick shell snippet to scan your node_modules for risky scripts:
find node_modules -name "package." -exec grep -l '"postinstall"' {} \; | head -n 20
You should also verify the integrity of your installed packages against the lockfile hashes. Since the payload is designed for credential theft, monitor your SIEM for unusual outbound traffic or access to sensitive config files immediately post-install.
Is anyone blocking registry traffic to non-standard sources, or are you relying on software composition analysis (SCA) tools to catch this at the PR stage?
We're using an internal proxy (Artifactory) for all npm traffic, which blocks anything not explicitly whitelisted. This usually stops the dependency confusion attacks, but typosquatting still slips through if a dev manually installs a malicious package.
We've also started running npm ci in isolated containers to test behavior before merging. I'd suggest checking your CI/CD logs for any npm install commands that ran outside of the build agents recently.
Good call on the postinstall check. We implemented a KQL rule in our SIEM to look for Node.js spawning immediately after package management tools, which often indicates a script execution.
Here is the basic query if it helps:
ProcessCreationEvents
| where FileName in ('node.exe', 'node')
| where ParentProcessName has 'npm' or ParentProcessName has 'yarn'
| project Timestamp, DeviceName, FileName, CommandLine
Better to catch it at the network layer, but this helps if the package is already internal.
This reinforces the need for signed commits and provenance. We are looking at implementing Sigstore/TPM policies for our internal SAP team.
If you aren't already, use npm audit --audit-level=moderate as a pre-commit hook. It won't catch zero-days in new packages, but it helps keep the known supply chain noise down.
Excellent insights. Beyond auditing, detecting obfuscated payloads is crucial since many of these attacks use hidden base64 strings to evade initial scans. I suggest implementing a high-entropy check in your CI pipeline to flag suspicious code in node_modules.
Here is a quick Python snippet to identify potential obfuscation:
import math, sys
def check_entropy(filename, threshold=4.5):
with open(filename, 'rb') as f:
data = f.read()
counts = [0] * 256
for byte in data:
counts[byte] += 1
entropy = -sum((c / len(data)) * math.log2(c / len(data)) for c in counts if c)
if entropy > threshold:
print(f'High entropy in {filename}: {entropy}')
Great points on runtime monitoring. To catch these earlier in the pipeline, we scan node_modules for obfuscated scripts immediately after npm install. Specifically, looking for decoding functions within dependency package. files helps identify hidden payloads. You can run this simple check in CI to flag potential malware before execution:
grep -rE "(atob|btoa|Buffer\.from)" node_modules/*/package.
It catches a lot of obfuscated logic that standard audits might miss.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access