SAP npm Packages Hijacked in Credential-Stealing Supply Chain Attack

Executive Summary

A supply chain attack campaign tracked as "mini Shai-Hulud" has compromised multiple npm packages related to SAP's JavaScript and cloud application ecosystem, deploying credential-stealing malware that targets SAP Business Technology Platform (BTP) credentials and other cloud application secrets. Researchers from Aikido Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz jointly identified the campaign, which injected malicious code into legitimate SAP-associated npm packages to harvest authentication tokens and API keys.

Technical Analysis

The attackers published or modified npm packages that appear to be associated with SAP's development tooling and cloud application frameworks. According to the researchers, the malicious code is designed to exfiltrate credentials for SAP BTP, a key enterprise platform that organizations use to build and run cloud applications. The campaign name "mini Shai-Hulud" references the sandworm from Frank Herbert's Dune, a naming pattern sometimes used by threat actors to obscure attribution.

The compromised packages were identified across multiple npm repositories. The malware payload executes at package install or runtime, scraping environment variables, configuration files, and stored tokens that SAP developers commonly use for authentication to BTP and other SAP cloud services. The stolen credentials are then transmitted to attacker-controlled infrastructure.

Aikido Security noted that the attack vector mirrors previous supply chain campaigns targeting the npm ecosystem, such as those involving typosquatting or dependency confusion. However, this campaign specifically targets the SAP development community, which has not historically been a primary focus for npm-based supply chain attacks. The researchers emphasized that the attack exploits trust in the open-source package registry to gain access to enterprise SAP environments.

Socket and SafeDep provided additional technical details indicating that the malicious code uses obfuscation techniques to evade static analysis, including string encoding and conditional execution based on environment checks. The payload only activates when it detects SAP-related environment variables or configuration files, reducing the likelihood of detection in non-SAP environments.

Mitigations & Recommendations

Organizations using SAP npm packages should immediately audit their npm dependencies for any of the compromised packages identified in the researchers' reports. Defenders should rotate all credentials, API keys, and service account tokens that may have been exposed, particularly those used for SAP BTP authentication. Implementing package integrity verification through lockfiles (package-lock.json or yarn.lock) and using npm audit tools can help detect tampered dependencies. Teams should also consider deploying runtime monitoring for unexpected outbound connections from build and development environments.