Executive Summary
In April 2026, the cybercriminal group TeamPCP executed a supply chain attack, compromising several SAP npm packages integral to SAP's Cloud Application Programming Model (CAP) and Cloud MTA Build Tool (MBT). The attackers injected malicious preinstall scripts into four packages: @cap-js/sqlite v2.2.2, @cap-js/postgres v2.2.2, @cap-js/db-service v2.10.1, and mbt v1.2.48. These scripts, upon installation, deployed multistage payloads designed to harvest developer and CI/CD secrets across platforms like GitHub, npm, and major cloud providers, subsequently exfiltrating the data to attacker-controlled GitHub repositories. The malware also included code to propagate via compromised tokens. (darkreading.com)
This incident underscores the escalating threat of supply chain attacks targeting widely-used development tools and platforms. The 'Mini Shai-Hulud' campaign, as it was dubbed, highlights the necessity for organizations to implement stringent security measures within their software development pipelines to prevent unauthorized access and data exfiltration. (darkreading.com)
Why This Matters Now
The 'Mini Shai-Hulud' attack exemplifies the growing sophistication of supply chain attacks, emphasizing the urgent need for organizations to fortify their software development processes against such threats. The incident serves as a critical reminder of the vulnerabilities present in widely-used development tools and the potential for significant data breaches if these vulnerabilities are exploited. (darkreading.com)
Attack Path Analysis
TeamPCP compromised SAP's npm packages by injecting malicious preinstall scripts, leading to unauthorized access and data exfiltration. The attack unfolded through initial compromise via supply chain manipulation, privilege escalation by harvesting sensitive credentials, lateral movement across development environments, command and control through attacker-controlled repositories, exfiltration of stolen data, and potential impact on downstream customer organizations.
Kill Chain Progression
Initial Compromise
Description
TeamPCP injected malicious preinstall scripts into SAP's npm packages, compromising the software supply chain.
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Unsecured Credentials: Credentials in Files
Application Layer Protocol: Web Protocols
Dynamic Resolution: Domain Generation Algorithms
Hijack Execution Flow: DLL Side-Loading
Command and Scripting Interpreter: PowerShell
Obfuscated Files or Information
Indicator Removal on Host: File Deletion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and firmware
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Data Security
Control ID: Pillar 3: Data
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
SAP npm package compromises directly target software development workflows, exposing CI/CD pipelines, developer credentials, and cloud deployment secrets to TeamPCP attackers.
Information Technology/IT
Supply chain attacks on enterprise SAP packages threaten IT infrastructure through compromised deployment tools, stolen cloud credentials, and lateral movement capabilities.
Financial Services
SAP enterprise software compromises expose critical financial systems to credential theft, regulatory compliance violations, and cascading supply chain security breaches.
Consulting
Management consulting firms using SAP development tools face client data exposure, compromised project deliverables, and cascading security incidents across customer organizations.
Sources
- TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attackhttps://www.darkreading.com/cloud-security/teampcp-sap-packages-mini-shai-huludVerified
- Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malwarehttps://www.wiz.io/blog/mini-shai-hulud-supply-chain-sap-npmVerified
- SAP npm Packages Compromised in Mini Shai-Hulud Supply Chain Attackhttps://www.techjuice.pk/sap-npm-packages-compromised-mini-shai-hulud-attack/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the compromised npm packages would likely be constrained, reducing the risk of initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to access and exploit sensitive credentials would likely be constrained, reducing the risk of privilege escalation.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally across development environments would likely be constrained, reducing the risk of widespread malware propagation.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels would likely be constrained, reducing the risk of data exfiltration.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data to external repositories would likely be constrained, reducing the risk of data loss.
The potential impact on downstream customer organizations and development environments would likely be constrained, reducing the overall blast radius of the attack.
Impact at a Glance
Affected Business Functions
- Cloud Application Development
- Continuous Integration/Continuous Deployment (CI/CD) Pipelines
- Enterprise Resource Planning (ERP) Systems
- Customer Relationship Management (CRM) Systems
Estimated downtime: 7 days
Estimated loss: $500,000
Developer credentials, CI/CD secrets, cloud provider tokens, and potentially sensitive enterprise data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within development environments.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic to unauthorized destinations.
- • Utilize Multicloud Visibility & Control to detect anomalous interactions and repeated malformed requests.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to covert tools and remote access attempts.
- • Apply Inline IPS (Suricata) to detect and prevent known exploit patterns and malicious payloads.
