Inside the Mini Shai-Hulud Campaign: Anatomy of a Cross-Ecosystem Supply Chain Attack

The “Mini Shai-Hulud” campaign is the latest example of how software supply chain attacks are evolving from isolated incidents into highly automated, cross-ecosystem operations capable of spreading rapidly across developer environments and CI/CD pipelines.

What began as the compromise of several SAP-related npm packages quickly expanded into a broader campaign affecting npm, PyPI, and PHP ecosystems. The attackers leveraged malicious lifecycle scripts, credential theft, CI/CD abuse, and automated propagation techniques to compromise developer machines and cloud environments at scale.

For security teams, the incident highlights an increasingly important reality: blocking malicious packages at the registry level is no longer sufficient on its own. Organizations also need runtime visibility into how dependencies behave after execution inside developer workstations, CI/CD systems, and cloud infrastructure.

TL;DR

• Multiple npm packages associated with SAP’s Cloud Application Programming ecosystem were compromised with malicious code.
• The malware used npm lifecycle hooks to download the Bun runtime and execute obfuscated credential-stealing payloads.
• Stolen secrets included GitHub tokens, npm credentials, cloud provider keys, Kubernetes credentials, and CI/CD secrets.
• The campaign expanded beyond npm, eventually impacting PyPI and Packagist ecosystems.
• Researchers observed worm-like propagation behavior, where stolen publishing tokens were used to compromise additional packages automatically.
• The attack demonstrates why runtime monitoring for CI/CD pipelines and cloud workloads is becoming critical alongside traditional dependency scanning.

What Happened?

On April 29, 2026, security researchers identified several SAP-related npm packages that had been modified to include malicious installation logic. Affected packages included:

• mbt@1.2.48
• @cap-js/db-service@2.10.1
• @cap-js/postgres@2.2.2
• @cap-js/sqlite@2.2.2

The malicious versions introduced new preinstall behaviors that were not part of the original packages.

Unlike traditional malware that executes after an application starts running, this payload activated during dependency installation itself — meaning a simple npm install could trigger compromise before developers ever launched the application.

Researchers from Socket, Wiz, Aikido, StepSecurity, and others later connected the activity to a broader campaign now referred to as “Mini Shai-Hulud.”
‍

How the Attack Worked

Stage 1: Malicious Lifecycle Hooks

The compromised packages injected malicious preinstall scripts into the npm lifecycle.

When developers or CI pipelines installed the packages, the hooks automatically executed and downloaded the Bun JavaScript runtime from attacker-controlled infrastructure.

This was an especially effective technique because:

• Bun is a legitimate and increasingly popular runtime
• Many security tools are less tuned to Bun activity than traditional Node.js execution
• The attack avoided obvious malicious binaries

The malware then launched a heavily obfuscated JavaScript payload reportedly measuring roughly 11MB in size.

Stage 2: Credential Theft

Once executed, the malware searched infected environments for sensitive credentials and secrets, including:

• GitHub tokens
• npm authentication tokens
• AWS credentials
• Azure and GCP secrets
• Kubernetes credentials
• GitHub Actions secrets
• Local developer tokens

Researchers observed the malware exfiltrating data through attacker-controlled GitHub repositories labeled:

“A Mini Shai-Hulud has Appeared”

By abusing trusted GitHub infrastructure instead of traditional command-and-control servers, the attackers reduced the likelihood of immediate detection.

Stage 3: Worm-Like Propagation

What made Mini Shai-Hulud particularly concerning was its autonomous propagation capability.

According to multiple researchers, the malware searched for GitHub Actions workflows and publishing credentials that could be reused to compromise additional packages.

In some cases, attackers reportedly:

• Modified package tarballs
• Repackaged dependencies with malicious payloads
• Published trojanized versions using stolen maintainer tokens

This transformed the incident from a single package compromise into a self-propagating supply chain worm.

The campaign ultimately expanded beyond SAP-related packages and affected additional ecosystems, including:

• intercom-client on npm
• lightning on PyPI
• PHP packages on Packagist
• Multiple @tanstack packages on npm

Why This Attack Matters

Mini Shai-Hulud stands out not only because of the affected packages, but because of the operational sophistication behind the campaign.

Cross-Ecosystem Targeting

Rather than focusing on a single package registry, the attackers simultaneously abused npm, PyPI, and PHP ecosystems.

This significantly increased the potential blast radius across modern development environments.

CI/CD Pipeline Targeting

The malware explicitly hunted for CI/CD secrets and automation credentials. That suggests the primary objective may not have been individual developer machines, but organizational cloud infrastructure and production environments. This aligns with a broader trend in which attackers increasingly treat CI/CD systems as high-value privileged infrastructure.

Abuse of Legitimate Developer Workflows

The attack relied almost entirely on legitimate tooling and trusted workflows, including:

• npm lifecycle hooks
• GitHub Actions
• Bun runtime execution
• GitHub repositories for exfiltration

As a result, traditional signature-based security controls become far less effective.

Detection Challenges

Attacks like Mini Shai-Hulud are difficult to detect using traditional application security approaches alone.

While static scanners may eventually identify known malicious package versions, several challenges remain:

• Obfuscated runtime payloads
• Abuse of legitimate tooling
• Rapid package version churn
• Credential theft occurring during execution
• Limited CI/CD runtime visibility
• Post-compromise propagation behavior

By the time malicious packages are publicly identified, many organizations may have already executed them inside privileged environments.

How Sweet Helps Detect and Contain These Attacks

Supply chain attacks rarely stop at dependency installation. The real impact begins once compromised packages interact with runtime environments, cloud credentials, CI/CD systems, and production infrastructure.

This is where runtime cloud security becomes critical.

Sweet Security helps organizations detect and investigate attacks like Mini Shai-Hulud by providing runtime visibility into cloud and CI/CD behavior.

Runtime Detection of Malicious Package Activity

Sweet can help identify suspicious behaviors associated with compromised dependencies, including:

• Unexpected process execution during builds
• Runtime downloads of external binaries
• Credential harvesting attempts
• Suspicious outbound network activity
• Abuse of CI/CD runners
• Unauthorized access to cloud metadata services
• Secret access anomalies

Rather than relying solely on package reputation or static analysis, Sweet focuses on observing runtime behavior inside cloud and CI/CD environments. Because modern supply chain attacks increasingly target identities, pipelines, and cloud workloads, runtime context becomes essential for determining:

• Whether malicious activity actually executed
• Which credentials or systems were exposed
• How far compromise may have spread
• What remediation actions are required

Final Thoughts

Mini Shai-Hulud represents another major step in the evolution of software supply chain attacks. The campaign combined malicious package publishing, credential theft, CI/CD compromise, cross-ecosystem targeting, and autonomous propagation into a highly scalable operation.

This is no longer just an open-source security problem. It is increasingly a cloud runtime security problem.

As attackers continue targeting developer infrastructure and CI/CD environments, organizations need visibility beyond dependency manifests and static package scanning. Runtime context is becoming essential for understanding what compromised packages actually do after installation — and for stopping supply chain attacks before they escalate into broader cloud compromise.

‍