← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer
WHITE PetrP.73 2026-04-30 Modified: 2026-05-30
29
IOCs
MEDIUM VOLUME
A supply-chain compromise has emerged, specifically targeting the SAP developer ecosystem via manipulated npm packages. The attack leverages a new preinstall hook in a trusted package, which leads to the execution of a setup.mjs file that downloads and utilizes the Bun JavaScript runtime. The core of the threat lies within an obfuscated payload named execution.js, approximately 11.7 MB in size, functioning as a credential stealer and framework for propagating the attack.
githubgithub actionsazurekuberneteskey vaultmini shaihuludaikido useraikidosap developerbun javascriptaprilexfiltrationthreatspypi
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (29)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 35baf8316645372eea40b91d48acb067 MD5 of 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 2026-04-30
FileHash-SHA1 307d0fa7407d40e67d14e9d5a4c61ac5b4f20431 SHA1 of 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 2026-04-30
FileHash-SHA1 a959014aa7b7fc37a9b5730c951776e7db2920a6 2026-04-30
FileHash-SHA256 29ac906c8bd801dfe1cb39596197df49f80fff2270b3e7fbab52278c24e4f1a7 2026-04-30
FileHash-SHA256 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 2026-04-30
FileHash-SHA256 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95 2026-04-30
FileHash-MD5 35baf8316645372eea40b91d48acb067 MD5 of 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 2026-04-30
FileHash-SHA1 307d0fa7407d40e67d14e9d5a4c61ac5b4f20431 SHA1 of 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 2026-04-30
FileHash-SHA1 bbbca2ddaa5d8feaa63e36b76fdaad77386f024f 2026-04-30
FileHash-SHA1 de0fac2e4500dabe0009e67214ff5f5447ce83dd 2026-04-30
FileHash-SHA256 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 2026-04-30
FileHash-SHA256 5012caa5847ae9261dfa16f91417042f367d6bed149c3b8af7a50b203a093007 2026-04-30
FileHash-SHA256 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95 2026-04-30
FileHash-SHA256 80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac 2026-04-30
FileHash-SHA256 fd4b0f07b27e8f41bc70b8e2b79d168fb3fe80d7e0b37f43c506136a3418b44d 2026-04-30
URL http://ghcr.io/elementary-data/elementary 2026-04-30
domain cipher.final 2026-04-30
domain createdrepo.name 2026-04-30
domain engine.io 2026-04-30
domain ghcr.io 2026-04-30
domain obfuscator.io 2026-04-30
domain repo.name 2026-04-30
hostname audit.checkmarx.cx 2026-04-30
hostname process.env.build 2026-04-30
hostname process.env.cf 2026-04-30
hostname process.env.ci 2026-04-30
hostname process.env.google 2026-04-30
hostname process.env.lc 2026-04-30
hostname process.env.now 2026-04-30
References (2)
↗ https://www.aikido.dev/blog/mini-shai-hulud-has-appeared ↗ https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared