Multiple security firms detected a supply chain attack targeting SAP-related npm packages. The campaign, attributed to a group calling itself mini Shai-Hulud, compromised packages and injected credential-stealing malware. Researchers from Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Wiz identified the compromised packages associated with SAP infrastructure.
The attack exploits the npm package ecosystem to distribute malware to developers and organizations using these dependencies. Infected packages execute code during installation, capturing authentication credentials from victim systems. This vector reaches downstream users automatically through standard dependency resolution.
Defenders should immediately audit npm package dependencies tied to SAP environments. Check package.json files for suspicious package versions published during the attack window. Review npm access logs for unusual installation activity. Consider pinning package versions and implementing package integrity verification. Organizations running SAP systems should patch or remove affected packages and rotate credentials for any exposed systems.
The attack demonstrates ongoing pressure on open source repositories as high-value distribution channels. Supply chain compromises targeting SAP specifically signal attackers prioritize enterprise resource planning infrastructure for credential harvesting and lateral movement opportunities.