SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

Coordinated Attack on SAP Developer Ecosystem

Security researchers from multiple firms — including Aikido Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz — have independently identified a coordinated supply chain attack campaign targeting npm packages used in SAP enterprise development workflows. The campaign, dubbed "mini Shai-H" by researchers, injects credential-stealing malware into legitimate SAP-related packages to harvest sensitive information from developer machines and CI/CD pipelines.

The discovery highlights an escalating trend of threat actors targeting the software supply chain through package registries, where a single compromised dependency can cascade into thousands of downstream victims.

How the Attack Works

The mini Shai-H campaign follows a now-familiar supply chain attack pattern:

Package identification: Attackers identify widely used npm packages within the SAP ecosystem, including tools, SDKs, and connectors used by developers building applications that integrate with SAP systems
Account compromise or typosquatting: Threat actors either compromise the original package maintainer's npm account or publish packages with similar names designed to trick developers into installing the malicious version
Malicious payload injection: The compromised packages contain obfuscated JavaScript that exfiltrates credentials, environment variables, and secrets from the developer's machine or build environment
Exfiltration: Stolen data is transmitted to attacker-controlled infrastructure, giving threat actors access to SAP credentials, cloud provider keys, and CI/CD pipeline secrets

Because SAP systems are deeply embedded in enterprise operations — managing financials, supply chains, HR, and manufacturing — credentials stolen from SAP development environments can provide attackers with pathways into highly sensitive business data.

Scope and Impact

SAP is one of the world's largest enterprise software vendors, with its systems used by over 400,000 companies in more than 180 countries. The npm ecosystem serves as a critical bridge for developers building integrations, automations, and extensions on top of SAP platforms.

The credential-stealing capability of the malicious packages poses several risks:

SAP login credentials could allow attackers to access enterprise ERP systems containing financial, HR, and operational data
Cloud provider keys harvested from environment variables could enable lateral movement into AWS, Azure, or GCP infrastructure
CI/CD pipeline secrets could be used to inject further malicious code into software builds, extending the attack chain
Developer machine access through harvested SSH keys or tokens could enable persistent access to corporate networks

Researcher Response

The coordinated disclosure by five separate security firms underscores the growing maturity of supply chain threat intelligence sharing. Google's Wiz, Aikido Security, SafeDep, Socket, and StepSecurity each detected artifacts of the campaign through their respective package scanning and runtime analysis capabilities.

Socket, which specializes in npm security, published indicators of compromise (IoCs) and the specific package names involved. StepSecurity noted that CI/CD pipelines using the affected packages in GitHub Actions workflows were at particular risk of exposing repository secrets.

npm's security team was notified and moved to remove the malicious packages from the registry.

Mitigation Steps

Organizations using SAP-related npm packages should take the following steps:

Audit dependencies — Run npm audit and review the full dependency tree for any packages flagged by Socket, Aikido, or Wiz scanners
Rotate all secrets — Treat any credentials, API keys, or tokens accessible from environments where the affected packages may have run as compromised. Rotate immediately
Enable package provenance checks — Use npm's built-in provenance attestation features to verify that packages were built from the expected source
Pin dependency versions — Avoid using floating version ranges (^, ~) for security-sensitive packages; pin to exact versions and review changes before upgrading
Monitor outbound connections from build environments for unusual data exfiltration to unknown hosts
Enable branch protection and secret scanning on repositories that use SAP-related npm packages

References

Coordinated Attack on SAP Developer Ecosystem

How the Attack Works

The mini Shai-H campaign follows a now-familiar supply chain attack pattern:

Package identification: Attackers identify widely used npm packages within the SAP ecosystem, including tools, SDKs, and connectors used by developers building applications that integrate with SAP systems

Account compromise or typosquatting: Threat actors either compromise the original package maintainer's npm account or publish packages with similar names designed to trick developers into installing the malicious version

Malicious payload injection: The compromised packages contain obfuscated JavaScript that exfiltrates credentials, environment variables, and secrets from the developer's machine or build environment

Exfiltration: Stolen data is transmitted to attacker-controlled infrastructure, giving threat actors access to SAP credentials, cloud provider keys, and CI/CD pipeline secrets

Scope and Impact

The credential-stealing capability of the malicious packages poses several risks:

SAP login credentials could allow attackers to access enterprise ERP systems containing financial, HR, and operational data

Cloud provider keys harvested from environment variables could enable lateral movement into AWS, Azure, or GCP infrastructure

CI/CD pipeline secrets could be used to inject further malicious code into software builds, extending the attack chain

Developer machine access through harvested SSH keys or tokens could enable persistent access to corporate networks

Researcher Response

npm's security team was notified and moved to remove the malicious packages from the registry.

Mitigation Steps

Organizations using SAP-related npm packages should take the following steps:

Audit dependencies — Run npm audit and review the full dependency tree for any packages flagged by Socket, Aikido, or Wiz scanners

Rotate all secrets — Treat any credentials, API keys, or tokens accessible from environments where the affected packages may have run as compromised. Rotate immediately

Enable package provenance checks — Use npm's built-in provenance attestation features to verify that packages were built from the expected source

Pin dependency versions — Avoid using floating version ranges (^, ~) for security-sensitive packages; pin to exact versions and review changes before upgrading

Monitor outbound connections from build environments for unusual data exfiltration to unknown hosts

Enable branch protection and secret scanning on repositories that use SAP-related npm packages

SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

Coordinated Attack on SAP Developer Ecosystem

How the Attack Works

Scope and Impact

Researcher Response

Mitigation Steps

References

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

GlassWorm Escalates: 72 Malicious Open VSX Extensions Use

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

Coordinated Attack on SAP Developer Ecosystem

How the Attack Works

Scope and Impact

Researcher Response

Mitigation Steps

References

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

GlassWorm Escalates: 72 Malicious Open VSX Extensions Use

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign