A supply chain operation dubbed 'Mini Shai Hulud' compromised SAP-related npm packages by injecting malicious preinstall scripts that execute during installation. The campaign leverages multi-stage payloads to harvest developer and CI/CD secrets from GitHub, npm, and major cloud providers, exfiltrating data via attacker-controlled GitHub repositories. Malicious versions of legitimate SAP ecosystem packages execute obfuscated payloads that collect GitHub tokens, npm credentials, cloud secrets from AWS, Azure and GCP, Kubernetes tokens, and GitHub Actions secrets. The malware includes propagation logic to infect additional repositories and features browser credential theft capabilities. It performs language checks to avoid Russian-speaking systems. Attribution points to TeamPCP based on shared RSA public keys and overlapping techniques from previous operations.