mini Shai-Hulud: Deconstructing the SAP npm Supply Chain Hit
Hey everyone, just catching up on the reports from Aikido, SafeDep, and the team at Wiz regarding this "mini Shai-Hulud" campaign. It looks like a coordinated supply chain attack specifically aimed at SAP-related npm packages. The threat actors are pushing credential-stealing malware, which is concerning given how often these dev dependencies fly under the radar compared to production libraries.
From what I've gathered, the campaign targets packages associated with SAP's JavaScript SDKs and cloud application tooling. The malware likely hooks into preinstall or postinstall scripts to exfiltrate .npmrc tokens or environment variables upon installation.
I've written a quick bash script to help teams audit their node_modules for recently modified files or suspicious scripts:
#!/bin/bash
# Scan for postinstall scripts in dependencies
grep -r "postinstall" node_modules/*/package. | cut -d: -f1 | sort -u
For those running Microsoft Sentinel or Defender, you might want to flag `npm` processes spawning child shells or making network connections immediately after execution:
DeviceProcessEvents
| where FileName =~ "npm" or FileName =~ "node"
| where ProcessCommandLine contains "postinstall"
| where InitiatingProcessFileName !in ("cmd.exe", "bash")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName
Has anyone started seeing IOCs for this specific campaign in their telemetry yet, or are we mostly relying on SBOM audits right now?
Good catch on the postinstall vector. We've locked down our CI/CD pipelines to ignore scripts during installation by default using --ignore-scripts. It's a blunt instrument, but it stops this class of attack effectively if you don't strictly need build scripts for your dependencies.
npm install --ignore-scripts
However, for the SAP devs who actually need those build steps, I'd recommend setting up a private registry (like Verdaccio or Artifactory) and firewalling external access. That way, you can manually vet these SAP-related packages before they hit your dev environment.
From a SOC perspective, we're treating this as a potential credential theft event. The malware is likely looking for .npmrc files which often contain plain-text auth tokens for your registry.
You can check if your current token is compromised by validating against your npm registry, but the safest bet is immediate rotation. Here is a Python snippet to scan for exposed tokens in your local config:
import os
import re
path = os.path.expanduser('~/.npmrc')
if os.path.exists(path):
with open(path, 'r') as f:
content = f.read()
if '_authToken' in content:
print('WARNING: Auth token found!')
print(content)
Rotate those secrets if you've pulled any SAP packages in the last 48 hours.
Great points. To expand on protecting those auth tokens, ensure your Dockerfiles use multi-stage builds so the .npmrc isn't baked into the final image layers. This limits exposure if the container is compromised. Also, always run npm ci in your build stage to guarantee reproducible builds and avoid accidental updates.
npm ci
Great insights. To complement the hardening steps, I recommend auditing your dependency trees specifically for the affected SAP SDKs. We found that standard audits sometimes miss these until the advisory is fully published. You can manually verify installed versions against the public advisory lists using this quick grep on your lockfile:
grep -A 5 "@sap" package-lock.
This helps surface any transitive dependencies that might have slipped in.
Solid advice on the defensive layers. To complement code analysis, I’d suggest monitoring network egress during a sandboxed install. These malicious packages almost always attempt to contact a C2 server to exfiltrate data. Running a packet capture during installation in an isolated environment can reveal suspicious outbound connections that static analysis misses.
tcpdump -i any -w install_trace.pcap
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access