Five major security firms just exposed a coordinated attack on SAP’s npm package ecosystem, with hackers embedding credential-stealing malware directly into JavaScript libraries that enterprise developers rely on daily.
The campaign, which identifies itself as “mini Shai-Hulud,” represents a critical vulnerability in how software supply chains work: attackers don’t need to breach SAP’s servers if they can compromise the open-source packages developers download by the thousands. This attack bypasses traditional perimeter security and lands malicious code directly on developer machines and corporate networks.
- The Target: Attackers compromised npm packages specifically within SAP’s JavaScript ecosystem to steal developer credentials and API keys.
- The Scale: Five independent security firms detected the campaign simultaneously, suggesting widespread infiltration across enterprise development environments.
- The Risk: Stolen developer credentials function as master keys to source code repositories, cloud infrastructure, and production systems.
Aikido Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz jointly identified the compromised packages associated with SAP’s JavaScript and cloud applications. The researchers found that the malware was designed to steal credentials—authentication tokens, API keys, and developer credentials that could unlock access to enterprise systems downstream.
The attack’s mechanics reveal sophisticated targeting. Rather than spray-and-pray malware, mini Shai-Hulud focused specifically on packages in SAP’s ecosystem, suggesting the attackers had identified a high-value target. According to research published in IEEE Xplore, programming language-specific package repositories like npm are both targets for supply chain attacks and platforms from which to mount broader campaigns. npm packages are installed automatically during development workflows, meaning the malicious code could execute on thousands of developer machines without triggering immediate suspicion.
How Do Supply Chain Attacks Bypass Traditional Security?
Supply chain attacks through npm have become increasingly common because the barrier to entry is low and the blast radius is enormous. A single compromised package can propagate to hundreds or thousands of downstream projects. Unlike traditional malware that users might notice slowing their system, credential-stealing malware runs silently, exfiltrating authentication data in the background.
• Single compromised package can affect thousands of downstream projects
• Credential theft operates silently without performance degradation
• Developer machines become entry points to enterprise infrastructure
The timing of this exposure matters. Five independent security firms flagging the same campaign simultaneously suggests the attack had been operating long enough to be detected across multiple monitoring systems. The researchers’ decision to publish their findings publicly indicates the threat was significant enough to warrant immediate disclosure, even knowing that attackers would quickly adapt their tactics once exposed.
SAP has not yet issued a detailed public statement about the scope of affected customers or the full list of compromised packages, though the five security firms have documented specific packages in their reports. Organizations using SAP-related npm packages should assume their development environments may have been targeted and take immediate action to audit their dependency chains.
Why Are Developer Credentials So Valuable to Attackers?
The credential-stealing aspect is particularly dangerous because stolen developer credentials don’t just compromise individual machines—they can unlock access to source code repositories, cloud infrastructure, CI/CD pipelines, and production environments. A developer’s credentials are often a master key to an organization’s entire digital estate.
This attack also highlights a structural weakness in open-source security: npm packages are maintained by individuals and small teams who may lack the resources to detect sophisticated intrusions. SAP, despite being a global enterprise software giant, cannot fully control the security posture of every package in its ecosystem. Research from the National Institutes of Health documents security vulnerabilities in the npm package dependency network, showing how attackers exploit gaps between package maintainers and enterprise users.
The five firms—Aikido Security, SafeDep, Socket, StepSecurity, and Wiz—have positioned themselves as supply chain security specialists precisely because traditional security tools miss these kinds of attacks. They monitor package repositories for behavioral anomalies, unusual dependencies, and code patterns that suggest compromise. Their coordinated disclosure suggests they’ve built detection systems that can catch these threats at scale.
What Should Organizations Do Right Now?
For developers and security teams, the immediate question is whether their projects depend on any of the compromised packages. npm’s dependency tree can be deep and opaque; a project might pull in a malicious package indirectly through a transitive dependency that no one explicitly chose. Tools like npm audit and third-party supply chain security platforms can help identify vulnerable packages, but they require active use and regular updates.
The mini Shai-Hulud campaign also signals that attackers are becoming more patient and surgical. Rather than broad ransomware campaigns, they’re targeting specific ecosystems and specific organizations, betting that focused credential theft will yield higher-value payoffs than mass extortion. This mirrors patterns seen in previous supply chain attacks where attackers focused on high-value infrastructure providers.
• Audit all npm dependency manifests for SAP-related packages
• Scan development environments for suspicious credential access patterns
• Rotate authentication tokens and API keys on affected systems
Organizations using SAP’s npm packages should immediately audit their dependency manifests, check for any suspicious activity in their development environments, and rotate any credentials that may have been exposed on machines where these packages were installed. The coordinated response from multiple security firms suggests this attack represents a new level of sophistication in supply chain targeting, requiring equally coordinated defensive measures.
