← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware
WHITE TeamPCP AlienVault 2026-04-30 Modified: 2026-04-30
30
IOCs
MEDIUM VOLUME
A supply chain operation dubbed 'Mini Shai Hulud' compromised SAP-related npm packages by injecting malicious preinstall scripts that execute during installation. The campaign leverages multi-stage payloads to harvest developer and CI/CD secrets from GitHub, npm, and major cloud providers, exfiltrating data via attacker-controlled GitHub repositories. Malicious versions of legitimate SAP ecosystem packages execute obfuscated payloads that collect GitHub tokens, npm credentials, cloud secrets from AWS, Azure and GCP, Kubernetes tokens, and GitHub Actions secrets. The malware includes propagation logic to infect additional repositories and features browser credential theft capabilities. It performs language checks to avoid Russian-speaking systems. Attribution points to TeamPCP based on shared RSA public keys and overlapping techniques from previous operations.
ci/cd compromisemini shai huludsupply chain attackgithub exfiltrationsap ecosystemcredential theftnpm packages
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Mini Shai Hulud
Indicators of Compromise (30)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 00ca0c04d247ef09f2b2acc452029345 2026-04-30
FileHash-MD5 04d8a99447b16f6839fff3b978f88d7e 2026-04-30
FileHash-MD5 35baf8316645372eea40b91d48acb067 2026-04-30
FileHash-MD5 45dc9c02f82b4370ca92785282d43a86 2026-04-30
FileHash-MD5 6fb87d243b011b5445f379f80e1a6b4d 2026-04-30
FileHash-MD5 8cd683f78735c9bfc32600c73d3d9abe 2026-04-30
FileHash-MD5 b523a69b27064d1715d1f0aaffcfae63 2026-04-30
FileHash-MD5 d468f16eafccbc54a994f3d675ace8ae 2026-04-30
FileHash-MD5 dbb9b09957113463bbeb420c2c4108b5 2026-04-30
FileHash-MD5 e32eaf0c3cde9616831a1e92d42b0058 2026-04-30
FileHash-SHA1 0af7415d65753f6aede8c9c0f39be478666b9c12 2026-04-30
FileHash-SHA1 307d0fa7407d40e67d14e9d5a4c61ac5b4f20431 2026-04-30
FileHash-SHA1 4b04304f6d51392e3f43856c94ca95800518a694 2026-04-30
FileHash-SHA1 6bc859aaee1f8885eec2a3016226e877e5adba08 2026-04-30
FileHash-SHA1 7b0278216ac31ec18eca9eb8bc1c1261a1b26f6c 2026-04-30
FileHash-SHA1 7b6a28e92149637e5d7c7f4a2d3e54acd507c929 2026-04-30
FileHash-SHA1 bc95cc5dda788295aa0c9456791520599ef99526 2026-04-30
FileHash-SHA1 ca4a5bb85778ffcd2153ace88fe2d882c8ceeb23 2026-04-30
FileHash-SHA1 e80824a19f48d778a746571bb15279b5679fd61c 2026-04-30
FileHash-SHA1 ff7ed7a0fa1c43eed01809d076feedbaed464fc7 2026-04-30
FileHash-SHA256 14eb4ce01dd4307759887ff819359b70d7d9ff709ecde039a5abc1aac325b128 2026-04-30
FileHash-SHA256 1d9e4ece8e13c8eaf94cb858470d1bd8f81bb58f62583552303774fa1579edee 2026-04-30
FileHash-SHA256 258257560fe2f1c2cc3924eae40718c829085b52ae3436b4e46d2565f6996271 2026-04-30
FileHash-SHA256 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 2026-04-30
FileHash-SHA256 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95 2026-04-30
FileHash-SHA256 80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac 2026-04-30
FileHash-SHA256 86282ebcd3bebf50f087f2c6b00c62caa667cdcb53558033d85acd39e3d88b41 2026-04-30
FileHash-SHA256 927387d0cfac1118df4b383decc2ea6ba49c9d2f98b47098bcbcba1efc026e1f 2026-04-30
FileHash-SHA256 a1da198bb4e883d077a0e13351bf2c3acdea10497152292e873d79d4f7420211 2026-04-30
FileHash-SHA256 eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb 2026-04-30
References (1)
↗ https://www.wiz.io/blog/mini-shai-hulud-supply-chain-sap-npm