The never-ending supply chain attacks worm into SAP npm packages, other dev tools
Multiple npm and PyPI packages, including those from SAP, Intercom, and lightning, have been compromised in a supply chain attack linked to the Mini Shai-Hulud worm. The malicious packages contain credential-stealing malware and are tied to the cybercrime group TeamPCP. The attack mirrors earlier incidents involving Checkmarx, Bitwarden, and other developer tools, with security firms Wiz and Socket identifying the same malicious code across the affected packages.
- ▪SAP-related npm packages mbt, @cap-js/db-service, @cap-js/postgres, and @cap-js/sqlite were compromised with credential-stealing malware.
- ▪[email protected] and [email protected] and 2.6.3 were also infected with the same malware used in the SAP attacks.
- ▪The campaign, dubbed Mini Shai-Hulud, is attributed to the cybercrime group TeamPCP by security firms Wiz and Socket.
- ▪The compromised SAP packages collectively receive approximately 572,000 weekly downloads.
- ▪SAP released a security note for customers, but it is only accessible to logged-in users.
Opening excerpt (first ~120 words) tap to expand
Security The never-ending supply chain attacks worm into SAP npm packages, other dev tools Mini Shai-Hulud caught spreading credential-stealing malware Jessica Lyons Thu 30 Apr 2026 // 23:21 UTC The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package. The newly compromised packages as of Thursday include [email protected] (according to Google-owned Wiz) and [email protected] (says supply-chain security firm Socket) and [email protected] and 2.6.3. Attackers infected all versions with the same credential-stealing malware that, on Wednesday, poisoned multiple npm packages associated with SAP's JavaScript and cloud application development ecosystem.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at The Register.
Discussion
0 commentsMore from The Register
