Ddos 
Security researchers have sounded the alarm on a precision-targeted supply-chain compromise striking the SAP developer ecosystem. The attack, which hit trusted packages in the SAP CAP database and Cloud MTA build workflows, uses a sophisticated “credential stealer and propagation framework” to hijack developer environments and CI/CD pipelines.
The compromise is particularly insidious because the malicious versions maintain the exact byte-for-byte code of legitimate SAP files. The “infection” lives entirely in the shadows of the install process.
The attack leverages the npm “preinstall” hook, a lifecycle script that runs automatically before a package installation even completes. Once triggered, the malware follows a unique execution chain:
- The Hook: A setup.mjs file is executed.
- The Environment: It downloads the Bun JavaScript runtime from GitHub to provide a high-performance execution environment for the malware.
- The Payload: Bun is then used to run execution.js, a massive 11.7 MB obfuscated payload.
As Aikido describes the mechanism, “The pattern is familiar but also a bit different: a trusted package receives a new preinstall hook, the hook runs a new setup.mjs file, and that loader downloads the Bun JavaScript runtime to execute a large obfuscated payload named execution.js”.
The execution.js payload is a surgical tool designed for mass credential harvesting. It doesn’t just target local files; it is engineered to “hit both developer laptops and CI/CD runners”.
The malware’s shopping list for secrets is extensive, including:
- Developer Tokens: GitHub and npm credentials.
- Cloud Infrastructure: AWS STS identities, Azure Key Vaults, GCP Secret Manager values, and Kubernetes service account tokens.
- CI/CD Memory: A specialized Python helper that “searches /proc for the Runner.Worker process, reads its memory, and extracts masked secret structures from the runner”.
The attackers use public GitHub repositories as their primary exfiltration channel. These repositories are easily identified by a bizarre, Dune-themed hardcoded description: “A Mini Shai-Hulud has Appeared”.
The malware also uses a “propagation keyword”—OhNoWhatsGoingOnWithGitHub—as a token dead-drop in commit messages. It searches for this string to find base64-encoded GitHub tokens that it can use to further spread its malicious code.
Aikido warns that the impact is high because these packages are run in environments with access to enterprise deployment secrets. Security teams are urged to search for specific compromised versions of packages like @cap-js/sqlite (v2.2.2) and mbt@1.2.48.
Researchers recommend, “If any affected package was installed, rotate secrets. Do not limit rotation to npm tokens”. Because the payload targets cloud providers and CI secrets, a full rotation of your infrastructure’s keys is the only way to ensure safety.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
